summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf/security/directorysecuritymask.xml
blob: d5413d4578907acea5816a47d16e476aa1d40d19 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<samba:parameter name="directory security mask"
                 context="S"
                 xmlns:samba="http://samba.org/common">
<listitem>
    <para>This parameter controls what UNIX permission bits 
    can be modified when a Windows NT client is manipulating the UNIX 
    permission on a directory using the native NT security dialog 
    box.</para>

    <para>This parameter is applied as a mask (AND'ed with) to 
    the changed permission bits, thus preventing any bits not in 
    this mask from being modified. Essentially, zero bits in this 
    mask may be treated as a set of bits the user is not allowed 
    to change.</para>

    <para>If not set explicitly this parameter is set to 0777
    meaning a user is allowed to modify all the user/group/world
    permissions on a directory.</para>

    <para><emphasis>Note</emphasis> that users who can access the 
    Samba server through other means can easily bypass this restriction, 
    so it is primarily useful for standalone &quot;appliance&quot; systems.  
    Administrators of most normal systems will probably want to leave
    it as the default of <constant>0777</constant>.</para>

    <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none">
    force directory security mode</parameter></link>, <link linkend="SECURITYMASK">
    <parameter moreinfo="none">security mask</parameter></link>, 
    <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode
    </parameter></link> parameters.</para>

    <para>Default: <command moreinfo="none">directory security mask = 0777</command></para>

    <para>Example: <command moreinfo="none">directory security mask = 0700</command></para>
</listitem>
</samba:parameter>