From db62a159b8833a4f1aee0c9733fd263b6d239d53 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 3 Oct 2012 16:04:18 -0700 Subject: Remove the parameters: security mask force security mode directory security mask force directory security mode and update the docs. --- docs-xml/smbdotconf/security/createmask.xml | 5 ++- docs-xml/smbdotconf/security/directorymask.xml | 8 ++--- .../smbdotconf/security/directorysecuritymask.xml | 32 ++---------------- docs-xml/smbdotconf/security/forcecreatemode.xml | 6 ++++ .../smbdotconf/security/forcedirectorymode.xml | 6 ++++ .../security/forcedirectorysecuritymode.xml | 38 +++------------------- docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 +++------------------- docs-xml/smbdotconf/security/securitymask.xml | 33 ++----------------- 8 files changed, 33 insertions(+), 133 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml index cf6864c78e..59e208dccd 100644 --- a/docs-xml/smbdotconf/security/createmask.xml +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -28,9 +28,8 @@ - Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the . + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control + over permission changes it should be set to 0777. diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml index 7b67f79214..2ebfc16d14 100644 --- a/docs-xml/smbdotconf/security/directorymask.xml +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -24,14 +24,14 @@ created from this parameter with the value of the parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the . + + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control + over permission changes it should be set to 0777. + force directory mode create mask -directory security mask inherit permissions 0755 0775 diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml index 5ed85ae3f8..0bd5d9327d 100644 --- a/docs-xml/smbdotconf/security/directorysecuritymask.xml +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -3,37 +3,11 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits - will be set when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask are a set of bits that will always be set to zero. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on directories. - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to set all the user/group/world - permissions on a directory. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. -force directory security mode -security mask -force security mode -0777 -0700 diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml index a3f1c2c105..5a57a294af 100644 --- a/docs-xml/smbdotconf/security/forcecreatemode.xml +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -10,6 +10,12 @@ mode after the mask set in the create mask parameter is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a file, not just when the file is created. + This replaces the now removed force security mode. + + The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml index 7effc0e399..e5b37ea611 100644 --- a/docs-xml/smbdotconf/security/forcedirectorymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -12,6 +12,12 @@ mask in the parameter directory mask is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a directory, not just when the file is created. + This replaces the now removed force directory security mode. + + The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml index 2c15ec2753..01e5fe9a2a 100644 --- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -4,40 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on directories to include specific UNIX + permission bits. - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works in a similar manner to this one, but uses a logical AND instead - of an OR. - - - - Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). - - - - If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. - - - - Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. - - - -0 -700 - -directory security mask -security mask -force security mode - diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml index 7451ef91ae..b6713b10b0 100644 --- a/docs-xml/smbdotconf/security/forcesecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -4,38 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works similar like this one but uses logical AND instead of OR. - - - - Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. - - - - If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. - - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on files to include specific UNIX + permission bits. + - -0 -700 - -force directory security mode -directory security mask -security mask diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml index 23bc2808db..d1e78bedfd 100644 --- a/docs-xml/smbdotconf/security/securitymask.xml +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -4,36 +4,9 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works in a manner similar to this one but uses a logical OR instead of an AND. - - - - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - - If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on files. - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to 0777. - - -force directory security mode -directory security mask -force security mode - -0777 -0770 -- cgit