summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/forcedirectorysecuritymode.xml
blob: 2c15ec2753af7d6104fca53b62bd8eb78dea0e75 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<samba:parameter name="force directory security mode"
                 context="S"
				 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>
	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
	the UNIX permission on a directory using the native NT security dialog box.
	</para>

    <para>
	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
	name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
	of an OR. 
	</para>

	<para>
	Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, 
	to will enable (1) any flags that are off (0) but which the mask has set to on (1).
	</para>

    <para>
	If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
	permissions on a directory without restrictions.
	</para>

    <note><para>
	Users who can access the Samba server through other means can easily bypass this restriction, so it is
	primarily useful for standalone &quot;appliance&quot; systems.  Administrators of most normal systems will
	probably want to leave it set as 0000.
	</para></note>

</description>

<value type="default">0</value>
<value type="example">700</value>

<related>directory security mask</related>
<related>security mask</related>
<related>force security mode</related>

</samba:parameter>