From 478ffc48ee2e07d14abe85160c643752e1135b2e Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 14 Dec 2000 04:57:14 +0000 Subject: Updated smbcacls documentation. (This used to be commit bd87398b5a9421add8db8b455d02ccd6b2624f58) --- docs/htmldocs/smbcacls.1.html | 73 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 64 insertions(+), 9 deletions(-) (limited to 'docs/htmldocs/smbcacls.1.html') diff --git a/docs/htmldocs/smbcacls.1.html b/docs/htmldocs/smbcacls.1.html index a48330c5b6..b7a048a1f3 100644 --- a/docs/htmldocs/smbcacls.1.html +++ b/docs/htmldocs/smbcacls.1.html @@ -17,7 +17,7 @@

NAME

- smbcacls - Set or get ACLs on an NT file + smbcacls - Set or get ACLs on an NT file or directory

SYNOPSIS

@@ -33,24 +33,27 @@ SMB file shares.

OPTIONS

-

The following options are available to the smbcacls program: +

The following options are available to the smbcacls program. The +format of ACLs is described in the section ACL FORMAT

-A acls
-

Add the ACLs specified to the ACL list. +

Add the ACLs specified to the ACL list. Existing access control entries +are unchanged.

-M acls

Modify the mask value (permissions) for the ACLs specified on the command -line. An error will be printed if the ACL specified is not already present -in the ACL list +line. An error will be printed for each ACL specified that was not already +present in the ACL list.

-D acls
-

Delete any ACLs specfied on the command line. An error is printed if any -of the ACLs specified are not present in the ACL list. +

Delete any ACLs specfied on the command line. An error will be printed for +each ACL specified that was not already present in the ACL list.

-S acls
-

This command deletes the current ACLs for the file or directory and -replaces them with the ACLs specified on the command line. +

This command sets the ACLs on the file with only the ones specified on the +command line. All other ACLs are erased. Note that the ACL specified must +contain at least a revision, type, owner and group for the call to succeed.

-U username

Specifies a username used to connect to the specified service. The @@ -68,6 +71,58 @@ format.

-h

Print usage information on the smbcacls program

+

+

ACL FORMAT

+ +

The format of an ACL is one or more ACL entries separated by either spaces, +commas or newlines. An ACL entry is one of the following: +

+
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+
+ +

The revision of the ACL specifies the internal Windows NT ACL revision for +the security descriptor. If not specified it defaults to 1. +

The owner and group specify the owner and group sids for the object. If a +SID in the format S-1-x-y-z is specified this is used, otherwise +the name specified is resolved using the server on which the file or +directory resides. +

ACLs specify permissions granted to the SID. This SID again can be +specified in S-1-x-y-z format or as a name in which case it is resolved +against the server on which the file or directory resides. The type, flags +and mask values determine the type of access granted to the SID. +

The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to +the SID. The flags values are generally zero for file ACLs and either 9 or +2 for directory ACLs. Some common flags are: +

+
+#define SEC_ACE_FLAG_OBJECT_INHERIT     	0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT  	0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY       	0x8
+
+ +

The mask is a value which expresses the access right granted to +the SID. It can be given as a hexadecimal value or by using one of the +following text strings which map to the NT file permissions of the same +name. +

+

R Allow read access +

W Allow write access +

X Execute permission on the object +

D Delete the object +

P Change permissions +

O Take ownership +

+

The following combined permissions can be specified: +

+

READ Equivalent to RX permissions +

CHANGE Equivalent to RXWD permissions +

FULL Equivalent to RWXDPO permissions +

EXIT STATUS

-- cgit