docs/smbdotconf/security/directorysecuritymask.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

<samba:parameter name="directory security mask"
                 context="S"
				 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>This parameter controls what UNIX permission bits 
    can be set when a Windows NT client is manipulating the UNIX 
    permission on a directory using the native NT security dialog 
    box.</para>

    <para>
	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus preventing any bits not
	in this mask from being set.  Make sure not to mix up this parameter with <smbconfoption name="force
	directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
	Essentially, zero bits in this mask are a set of bits that will always be set to zero.
	</para>

    <para>If not set explicitly this parameter is set to 0777
    meaning a user is allowed to set all the user/group/world
    permissions on a directory.</para>

    <para><emphasis>Note</emphasis> that users who can access the 
    Samba server through other means can easily bypass this restriction, 
    so it is primarily useful for standalone &quot;appliance&quot; systems.  
    Administrators of most normal systems will probably want to leave
	it as the default of <constant>0777</constant>.</para>
</description>

<related>force directory security mode</related>
<related>security mask</related>
<related>force security mode</related>
<value type="default">0777</value>
<value type="example">0700</value>
</samba:parameter>