From 7c293bf4a6fc073ac0d031fb15066b25e69f0511 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 18 May 2003 08:00:54 +0000 Subject: More Edits. (This used to be commit 9e5487f49ffb120a81ec41408b1678897fb90730) --- docs/docbook/projdoc/AccessControls.xml | 243 +++++++++++++++++++++++++++++++- 1 file changed, 242 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index 16057411e2..9c0b52638d 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -370,9 +370,250 @@ at how Samba helps to bridge the differences. Share Definition Access Controls -Explain here about the smb.conf [share] Access Control parameters, Mode and Mask parameters, force user/group, valid/invalid users, etc. +The following parameters in the &smb.conf; file sections that define a share control or affect access controls. +Before using any of the following options please refer to the man page for &smb.conf;. +User and Group Based Controls + + + + Control Parameter + Description - Action - Notes + + + + + admin users + + List of users who will be granted administrative privileges on the share. + They will do all file operations as the super-user (root). + Any user in this list will be able to do anything they like on the share, + irrespective of file permissions. + + + + force group + + Specifies a UNIX group name that will be assigned as the default primary group + for all users connecting to this service. + + + + force user + + Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. + This is useful for sharing files. Incorrect use can cause security problems. + + + + guest ok + + If this parameter is set for a service, then no password is required to connect to the service. Privileges will be + those of the guest account. + + + + invalid users + + List of users that should not be allowed to login to this service. + + + + only user + + Controls whether connections with usernames not in the user list will be allowed. + + + + read list + + List of users that are given read-only access to a service. Users in this list + will not be given write access, no matter what the read only option is set to. + + + + username + + Refer to the &smb.conf; man page for more information - this is a complex and potentially misused parameter. + + + + valid users + + List of users that should be allowed to login to this service. + + + + write list + + List of users that are given read-write access to a service. + + + + +
+ + +The following file and directory permission based controls, if misused, can result in considerable difficulty to +diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one +undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually +re-instroduce them in a controlled fashion. + + +File and Directory Permission Based Controls + + + + Control Parameter + Description - Action - Notes + + + + + create mask + + Refer to the &smb.conf; man page. + + + + directory mask + + The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. + See also: directory security mask. + + + dos filemode + + Enabling this parameter allows a user who has write access to the file to modify the permissions on it. + + + + force create mode + + This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. + + + + force directory mode + + This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. + + + + force directory security mode + + Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory + + + + force security mode + + Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. + + + + hide unreadable + + Prevents clients from seeing the existance of files that cannot be read. + + + + hide unwriteable files + + Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual. + + + + nt acl support + + This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists. + + + + security mask + + Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. + + + + +
+ +Other Controls + + + + Control Parameter + Description - Action - Notes + + + + + case sensitive + + This means that all file name lookup will be done in a case sensitive manner. + Files will be created with the precise filename Samba received from the MS Windows client. + See also: default case, short preserve case. + + + + csc policy + + Client Side Caching Policy - parallels MS Windows client side file caching capabilities. + + + + dont descend + + Allows to specify a comma-delimited list of directories that the server should always show as empty. + + + + dos filetime resolution + + This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. + + + + dos filetimes + + Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the + owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user smbd is acting on behalf of is not the file owner. Setting this option to yes allows DOS + semantics and smbd(8) will change the file timestamp as DOS requires. + + + + fake oplocks + + Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an + oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will + aggressively cache file data. With some oplock types the client may even cache file open/close operations. + + + + hide dot files, hide files, veto files + + Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible. + + + + read only + + If this parameter is yes, then users of a service may not create or modify files in the service's directory. + + + + veto files + + List of files and directories that are neither visible nor accessible. + + + + +
+ -- cgit