From db62a159b8833a4f1aee0c9733fd263b6d239d53 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 3 Oct 2012 16:04:18 -0700 Subject: Remove the parameters: security mask force security mode directory security mask force directory security mode and update the docs. --- docs-xml/smbdotconf/security/createmask.xml | 5 ++- docs-xml/smbdotconf/security/directorymask.xml | 8 ++--- .../smbdotconf/security/directorysecuritymask.xml | 32 ++---------------- docs-xml/smbdotconf/security/forcecreatemode.xml | 6 ++++ .../smbdotconf/security/forcedirectorymode.xml | 6 ++++ .../security/forcedirectorysecuritymode.xml | 38 +++------------------- docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 +++------------------- docs-xml/smbdotconf/security/securitymask.xml | 33 ++----------------- examples/scripts/shares/python/smbparm.py | 4 --- lib/param/param_functions.c | 4 --- lib/param/param_table.c | 36 -------------------- source3/include/proto.h | 4 --- source3/param/loadparm.c | 4 --- 13 files changed, 33 insertions(+), 185 deletions(-) diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml index cf6864c78e..59e208dccd 100644 --- a/docs-xml/smbdotconf/security/createmask.xml +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -28,9 +28,8 @@ - Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the . + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control + over permission changes it should be set to 0777. diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml index 7b67f79214..2ebfc16d14 100644 --- a/docs-xml/smbdotconf/security/directorymask.xml +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -24,14 +24,14 @@ created from this parameter with the value of the parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the . + + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control + over permission changes it should be set to 0777. + force directory mode create mask -directory security mask inherit permissions 0755 0775 diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml index 5ed85ae3f8..0bd5d9327d 100644 --- a/docs-xml/smbdotconf/security/directorysecuritymask.xml +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -3,37 +3,11 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits - will be set when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask are a set of bits that will always be set to zero. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on directories. - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to set all the user/group/world - permissions on a directory. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. -force directory security mode -security mask -force security mode -0777 -0700 diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml index a3f1c2c105..5a57a294af 100644 --- a/docs-xml/smbdotconf/security/forcecreatemode.xml +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -10,6 +10,12 @@ mode after the mask set in the create mask parameter is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a file, not just when the file is created. + This replaces the now removed force security mode. + + The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml index 7effc0e399..e5b37ea611 100644 --- a/docs-xml/smbdotconf/security/forcedirectorymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -12,6 +12,12 @@ mask in the parameter directory mask is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a directory, not just when the file is created. + This replaces the now removed force directory security mode. + + The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml index 2c15ec2753..01e5fe9a2a 100644 --- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -4,40 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on directories to include specific UNIX + permission bits. - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works in a similar manner to this one, but uses a logical AND instead - of an OR. - - - - Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). - - - - If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. - - - - Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. - - - -0 -700 - -directory security mask -security mask -force security mode - diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml index 7451ef91ae..b6713b10b0 100644 --- a/docs-xml/smbdotconf/security/forcesecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -4,38 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works similar like this one but uses logical AND instead of OR. - - - - Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. - - - - If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. - - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on files to include specific UNIX + permission bits. + - -0 -700 - -force directory security mode -directory security mask -security mask diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml index 23bc2808db..d1e78bedfd 100644 --- a/docs-xml/smbdotconf/security/securitymask.xml +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -4,36 +4,9 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works in a manner similar to this one but uses a logical OR instead of an AND. - - - - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - - If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on files. - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to 0777. - - -force directory security mode -directory security mask -force security mode - -0777 -0770 diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py index 8dca781ffc..f0bc1ecb89 100644 --- a/examples/scripts/shares/python/smbparm.py +++ b/examples/scripts/shares/python/smbparm.py @@ -89,7 +89,6 @@ parm_table = { "ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""), "WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"), "MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"), - "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"), "VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""), "CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""), "DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""), @@ -102,7 +101,6 @@ parm_table = { "DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"), "LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""), "WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"), - "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"), "ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"), "PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"), "MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"), @@ -147,7 +145,6 @@ parm_table = { "LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"), "LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"), "LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"), - "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"), "LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""), "NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"), "LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"), @@ -184,7 +181,6 @@ parm_table = { "POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"), "INCLUDE" : ("include", SambaParmString, P_LOCAL, ""), "ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"), - "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"), "ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"), "USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""), "MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"), diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c index ce2f671d73..d5cd0181c5 100644 --- a/lib/param/param_functions.c +++ b/lib/param/param_functions.c @@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share) FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions) FN_LOCAL_BOOL(acl_group_control, bAclGroupControl) FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl) -FN_LOCAL_INTEGER(security_mask, iSecurity_mask) -FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode) -FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask) -FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode) FN_LOCAL_INTEGER(defaultcase, iDefaultCase) FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace) FN_LOCAL_INTEGER(printing, iPrinting) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 325f295342..01f65fef97 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -956,24 +956,6 @@ static struct parm_struct parm_table[] = { .enum_list = NULL, .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, - { - .label = "security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, { .label = "directory mask", .type = P_OCTAL, @@ -1001,24 +983,6 @@ static struct parm_struct parm_table[] = { .enum_list = NULL, .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, - { - .label = "directory security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force directory security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, { .label = "force unknown acl user", .type = P_BOOL, diff --git a/source3/include/proto.h b/source3/include/proto.h index b3fa55a914..ac3d205100 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int ); bool lp_durable_handles(int); int lp_create_mask(int ); int lp_force_create_mode(int ); -int lp_security_mask(int ); -int lp_force_security_mode(int ); int lp_dir_mask(int ); int lp_force_dir_mode(int ); -int lp_dir_security_mask(int ); -int lp_force_dir_security_mode(int ); int lp_max_connections(int ); int lp_defaultcase(int ); int lp_minprintspace(int ); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 61606ce9d2..42bf11d4bc 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -191,12 +191,8 @@ static struct loadparm_service sDefault = .iWriteCacheSize = 0, .iCreate_mask = 0744, .iCreate_force_mode = 0, - .iSecurity_mask = 0777, - .iSecurity_force_mode = 0, .iDir_mask = 0755, .iDir_force_mode = 0, - .iDir_Security_mask = 0777, - .iDir_Security_force_mode = 0, .iMaxConnections = 0, .iDefaultCase = CASE_LOWER, .iPrinting = DEFAULT_PRINTING, -- cgit