summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/securitymask.xml
blob: de3dd29753d01c99368d4a8c19cca5847d0fbab9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<samba:parameter name="security mask"
                 context="S"
				 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>This parameter controls what UNIX permission 
    bits can be modified when a Windows NT client is manipulating 
    the UNIX permission on a file using the native NT security 
    dialog box.</para>

    <para>This parameter is applied as a mask (AND'ed with) to 
    the changed permission bits, thus preventing any bits not in 
    this mask from being modified. Essentially, zero bits in this 
    mask may be treated as a set of bits the user is not allowed 
    to change.</para>

    <para>If not set explicitly this parameter is 0777, allowing
    a user to modify all the user/group/world permissions on a file.
    </para>

    <para><emphasis>Note</emphasis> that users who can access the 
    Samba server through other means can easily bypass this 
    restriction, so it is primarily useful for standalone 
    &quot;appliance&quot; systems.  Administrators of most normal systems will 
	probably want to leave it set to <constant>0777</constant>.</para>
</description>

<related>force directory security mode</related>
<related>directory security mask</related>
<related>force security mode</related>

<value type="default">0777</value>
<value type="example">0770</value>
</samba:parameter>