summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/securitymask.xml
blob: 23bc2808db410d0a94e9758b7abb2b593e78e840 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<samba:parameter name="security mask"
                 context="S"
				 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>
	This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
	UNIX permission on a file using the native NT security dialog box.
	</para>

    <para>
	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
	any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
	security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. 
	</para>

    <para>
	Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
	file permissions regardless of the previous status of this bits on the file.
    </para>

    <para>
	If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
    </para>

    <para><emphasis>
	Note</emphasis> that users who can access the Samba server through other means can easily bypass this 
    restriction, so it is primarily useful for standalone &quot;appliance&quot; systems.  Administrators of
	most normal systems will probably want to leave it set to <constant>0777</constant>.
	</para>
</description>

<related>force directory security mode</related>
<related>directory security mask</related>
<related>force security mode</related>

<value type="default">0777</value>
<value type="example">0770</value>
</samba:parameter>