diff options
Diffstat (limited to 'docs/smbdotconf')
| -rw-r--r-- | docs/smbdotconf/logon/logonscript.xml | 48 | ||||
| -rw-r--r-- | docs/smbdotconf/security/createmask.xml | 40 | ||||
| -rw-r--r-- | docs/smbdotconf/security/directorymask.xml | 2 | ||||
| -rw-r--r-- | docs/smbdotconf/security/directorysecuritymask.xml | 11 | ||||
| -rw-r--r-- | docs/smbdotconf/security/forcedirectorysecuritymode.xml | 46 | ||||
| -rw-r--r-- | docs/smbdotconf/security/forcesecuritymode.xml | 40 | ||||
| -rw-r--r-- | docs/smbdotconf/security/securitymask.xml | 36 |
7 files changed, 127 insertions, 96 deletions
diff --git a/docs/smbdotconf/logon/logonscript.xml b/docs/smbdotconf/logon/logonscript.xml index 847896e1ce..13ce9a0c03 100644 --- a/docs/smbdotconf/logon/logonscript.xml +++ b/docs/smbdotconf/logon/logonscript.xml @@ -4,14 +4,15 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter specifies the batch file (.bat) or - NT command file (.cmd) to be downloaded and run on a machine when - a user successfully logs in. The file must contain the DOS - style CR/LF line endings. Using a DOS-style editor to create the - file is recommended.</para> + <para> + This parameter specifies the batch file (<filename>.bat</filename>) or NT command file + (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + </para> - <para>The script must be a relative path to the [netlogon] - service. If the [netlogon] service specifies a <smbconfoption name="path"/> of <filename + <para> + The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon] + service specifies a <smbconfoption name="path"/> of <filename moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is: <screen> @@ -19,23 +20,28 @@ </screen> </para> - <para>The contents of the batch file are entirely your choice. A - suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET - /YES</command>, to force every machine to synchronize clocks with - the same time server. Another use would be to add <command moreinfo="none">NET USE - U: \\SERVER\UTILS</command> for commonly used utilities, or <screen> - <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para> + <para> + The contents of the batch file are entirely your choice. A suggested command would be to add <command + moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the + same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command> + for commonly used utilities, or <screen> <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for + example. + </para> - <para>Note that it is particularly important not to allow write - access to the [netlogon] share, or to grant users write permission - on the batch files in a secure environment, as this would allow - the batch files to be arbitrarily modified and security to be - breached.</para> + <para> + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + </para> - <para>This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine.</para> + <para> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + </para> - <para>This option is only useful if Samba is set up as a logon server.</para> + <para> + This option is only useful if Samba is set up as a logon server. + </para> </description> <value type="default"></value> <value type="example">scripts\%U.bat</value> diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml index 7f9f93caaa..cf6864c78e 100644 --- a/docs/smbdotconf/security/createmask.xml +++ b/docs/smbdotconf/security/createmask.xml @@ -5,27 +5,33 @@ <synonym>create mode</synonym> <description> - <para>When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> - set here will be removed from the modes set on a file when it is - created.</para> + <para> + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will + be removed from the modes set on a file when it is created. + </para> - <para>The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes.</para> + <para> + The default value of this parameter removes the <literal>group</literal> and <literal>other</literal> + write and execute bits from the UNIX modes. + </para> - <para>Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the <smbconfoption name="force create mode"/> - parameter which is set to 000 by default.</para> + <para> + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + <smbconfoption name="force create mode"/> parameter which is set to 000 by default. + </para> - <para>This parameter does not affect directory modes. See the - parameter <smbconfoption name="directory mode"/> for details.</para> + <para> + This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/> + for details. + </para> - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para> + <para> + Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption + name="security mask"/>. + </para> </description> <related>force create mode</related> diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml index 414239bcff..7b67f79214 100644 --- a/docs/smbdotconf/security/directorymask.xml +++ b/docs/smbdotconf/security/directorymask.xml @@ -30,7 +30,7 @@ </description> <related>force directory mode</related> -<related>create mode</related> +<related>create mask</related> <related>directory security mask</related> <related>inherit permissions</related> <value type="default">0755</value> diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml index 5511cd1700..a16f275698 100644 --- a/docs/smbdotconf/security/directorysecuritymask.xml +++ b/docs/smbdotconf/security/directorysecuritymask.xml @@ -8,11 +8,12 @@ permission on a directory using the native NT security dialog box.</para> - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> + <para> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force + directory security mode"/>, which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </para> <para>If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml index 184337ba69..2c15ec2753 100644 --- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml @@ -3,25 +3,33 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box.</para> - - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions.</para> - - <note><para>Users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000.</para></note> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + </para> + + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead + of an OR. + </para> + + <para> + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + </para> + + <para> + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + </para> + + <note><para> + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + </para></note> </description> diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml index 98de6fa401..7451ef91ae 100644 --- a/docs/smbdotconf/security/forcesecuritymode.xml +++ b/docs/smbdotconf/security/forcesecuritymode.xml @@ -3,26 +3,32 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box.</para> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. + </para> - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'.</para> + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="security mask"/>, which works similar like this one but uses logical AND instead of OR. + </para> - <para>If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions.</para> + <para> + Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. + </para> + + <para> + If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. + </para> - <para><emphasis>Note</emphasis> that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000.</para> + <para><emphasis> + Note</emphasis> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. + </para> </description> diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml index de3dd29753..d41d6bddae 100644 --- a/docs/smbdotconf/security/securitymask.xml +++ b/docs/smbdotconf/security/securitymask.xml @@ -3,26 +3,30 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box.</para> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. + </para> - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> + <para> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force + security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. + </para> - <para>If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. + <para> + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </para> + + <para> + If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. </para> - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to <constant>0777</constant>.</para> + <para><emphasis> + Note</emphasis> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to <constant>0777</constant>. + </para> </description> <related>force directory security mode</related> |