From 1856f7a0f5cd1563b4b1abd42e8c0e5c3514ecc9 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 19 Aug 2005 16:40:15 +0000
Subject: Added "acl group control" docs. Jeremy. (This used to be commit
 54bb01f1d468d49a134dd8792540d756b6a7e0a2)

---
 docs/smbdotconf/security/aclgroupcontrol.xml | 47 ++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 docs/smbdotconf/security/aclgroupcontrol.xml

diff --git a/docs/smbdotconf/security/aclgroupcontrol.xml b/docs/smbdotconf/security/aclgroupcontrol.xml
new file mode 100644
index 0000000000..9def482061
--- /dev/null
+++ b/docs/smbdotconf/security/aclgroupcontrol.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="acl group control"
+                 context="S"
+		 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
+	and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
+	<emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs
+	on that file.
+	</para>
+	<para>
+	On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in
+	that group to modify the permissions on it. This allows the delegation of security controls
+	on a point in the filesystem to the group owner of a directory and anything below it also owned
+	by that group. This means there are multiple people with permissions to modify ACLs on a file
+	or directory, easing managability.
+	</para>
+	<para>
+	This parameter allows Samba to also permit delegation of the control over a point in the exported
+	directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to
+	control the permissions on a file or directory they have group ownership on.
+	</para>
+
+	<para>
+	This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
+	on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> bit set
+	on them, which causes new files and directories created within it to inherit the group
+	ownership from the containing directory. 
+	</para>
+
+	<para>
+	This is a new parameter introduced in Samba 3.0.20.
+	</para>
+
+	<para>
+	This can be particularly useful to allow groups to manage their own security on a part
+	of the filesystem they have group ownership of, removing the bottleneck of having only
+	the user owner or superuser able to reset permissions.
+	</para>
+</description>
+
+<related>inherit owner</related>
+<related>inherit permissions</related>
+
+<value type="default">no</value>
+</samba:parameter>
-- 
cgit