diff options
Diffstat (limited to 'docs/smbdotconf/security')
| -rw-r--r-- | docs/smbdotconf/security/createmask.xml | 40 | ||||
| -rw-r--r-- | docs/smbdotconf/security/directorymask.xml | 2 | ||||
| -rw-r--r-- | docs/smbdotconf/security/directorysecuritymask.xml | 11 | ||||
| -rw-r--r-- | docs/smbdotconf/security/forcedirectorysecuritymode.xml | 46 | ||||
| -rw-r--r-- | docs/smbdotconf/security/forcesecuritymode.xml | 40 | ||||
| -rw-r--r-- | docs/smbdotconf/security/securitymask.xml | 36 |
6 files changed, 100 insertions, 75 deletions
diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml index 7f9f93caaa..cf6864c78e 100644 --- a/docs/smbdotconf/security/createmask.xml +++ b/docs/smbdotconf/security/createmask.xml @@ -5,27 +5,33 @@ <synonym>create mode</synonym> <description> - <para>When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> - set here will be removed from the modes set on a file when it is - created.</para> + <para> + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will + be removed from the modes set on a file when it is created. + </para> - <para>The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes.</para> + <para> + The default value of this parameter removes the <literal>group</literal> and <literal>other</literal> + write and execute bits from the UNIX modes. + </para> - <para>Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the <smbconfoption name="force create mode"/> - parameter which is set to 000 by default.</para> + <para> + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + <smbconfoption name="force create mode"/> parameter which is set to 000 by default. + </para> - <para>This parameter does not affect directory modes. See the - parameter <smbconfoption name="directory mode"/> for details.</para> + <para> + This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/> + for details. + </para> - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para> + <para> + Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption + name="security mask"/>. + </para> </description> <related>force create mode</related> diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml index 414239bcff..7b67f79214 100644 --- a/docs/smbdotconf/security/directorymask.xml +++ b/docs/smbdotconf/security/directorymask.xml @@ -30,7 +30,7 @@ </description> <related>force directory mode</related> -<related>create mode</related> +<related>create mask</related> <related>directory security mask</related> <related>inherit permissions</related> <value type="default">0755</value> diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml index 5511cd1700..a16f275698 100644 --- a/docs/smbdotconf/security/directorysecuritymask.xml +++ b/docs/smbdotconf/security/directorysecuritymask.xml @@ -8,11 +8,12 @@ permission on a directory using the native NT security dialog box.</para> - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> + <para> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force + directory security mode"/>, which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </para> <para>If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml index 184337ba69..2c15ec2753 100644 --- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml @@ -3,25 +3,33 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box.</para> - - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions.</para> - - <note><para>Users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000.</para></note> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + </para> + + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead + of an OR. + </para> + + <para> + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + </para> + + <para> + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + </para> + + <note><para> + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + </para></note> </description> diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml index 98de6fa401..7451ef91ae 100644 --- a/docs/smbdotconf/security/forcesecuritymode.xml +++ b/docs/smbdotconf/security/forcesecuritymode.xml @@ -3,26 +3,32 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box.</para> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. + </para> - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'.</para> + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="security mask"/>, which works similar like this one but uses logical AND instead of OR. + </para> - <para>If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions.</para> + <para> + Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. + </para> + + <para> + If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. + </para> - <para><emphasis>Note</emphasis> that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000.</para> + <para><emphasis> + Note</emphasis> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. + </para> </description> diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml index de3dd29753..d41d6bddae 100644 --- a/docs/smbdotconf/security/securitymask.xml +++ b/docs/smbdotconf/security/securitymask.xml @@ -3,26 +3,30 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box.</para> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. + </para> - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> + <para> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force + security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. + </para> - <para>If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. + <para> + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </para> + + <para> + If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. </para> - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to <constant>0777</constant>.</para> + <para><emphasis> + Note</emphasis> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to <constant>0777</constant>. + </para> </description> <related>force directory security mode</related> |