summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/directorysecuritymask.xml
blob: ced788449f3511d5814fa8f49a1b00821edd05f2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<samba:parameter name="directory security mask"
                 context="S"
				 type="string"
                 xmlns:samba="http://samba.org/common">
<description>
    <para>This parameter controls what UNIX permission bits 
    can be modified when a Windows NT client is manipulating the UNIX 
    permission on a directory using the native NT security dialog 
    box.</para>

    <para>This parameter is applied as a mask (AND'ed with) to 
    the changed permission bits, thus preventing any bits not in 
    this mask from being modified. Essentially, zero bits in this 
    mask may be treated as a set of bits the user is not allowed 
    to change.</para>

    <para>If not set explicitly this parameter is set to 0777
    meaning a user is allowed to modify all the user/group/world
    permissions on a directory.</para>

    <para><emphasis>Note</emphasis> that users who can access the 
    Samba server through other means can easily bypass this restriction, 
    so it is primarily useful for standalone &quot;appliance&quot; systems.  
    Administrators of most normal systems will probably want to leave
	it as the default of <constant>0777</constant>.</para>
</description>

<related>force directory security mode</related>
<related>security mask</related>
<related>force security mode</related>
<value type="default">0777</value>
<value type="example">0700</value>
</samba:parameter>