From c4707e1dd8e01d9d91e4b75c347c5e616c945aef Mon Sep 17 00:00:00 2001 From: Noel Power Date: Fri, 15 Nov 2013 11:53:35 +0000 Subject: [PATCH] doc: describe smbcacls --propagate-inheritance expanding INHERITANCE section Signed-off-by: Noel Power Reviewed-by: Jeremy Allison --- docs-xml/manpages/smbcacls.1.xml | 80 ++++++++++++++++++++++++++++---- 1 file changed, 71 insertions(+), 9 deletions(-) diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml index 783171513da..7efcc087cfd 100644 --- a/docs-xml/manpages/smbcacls.1.xml +++ b/docs-xml/manpages/smbcacls.1.xml @@ -295,18 +295,80 @@ ACL:<sid or name>:<type>/<flags>/<mask> INHERITANCE Per-ACE inheritance flags can be set in the ACE flags field. By - default, ACEs marked for object inheritance (OI) or container - inheritance (CI) are not propagated to sub-files or folders. However, - with the --propagate-inheritance arguement - specified, such ACEs are recursively applied to all applicable child - objects in the directory tree. - - Any ACEs applied to sub-files of folders are marked with the - inherited (I) flag. - + default, inheritable ACEs e.g. those marked for object inheritance (OI) + or container inheritance (CI), are not propagated to sub-files or + folders. However, with the + --propagate-inheritance argument specified, such + ACEs are automatically propagated according to some inheritance + rules. + + Inheritable (OI)(OI) ACE flags can only be + applied to folders. + Any inheritable ACEs applied to sub-files or + folders are marked with the inherited (I) flag. Inheritable + ACE(s) are applied to folders unless the no propagation (NP) + flag is set. + + When an ACE with the (OI) flag alone set is + progagated to a child folder the inheritance only flag (IO) is + also applied. This indicates the permissions associated with + the ACE don't apply to the folder itself (only to it's + child files). When applying the ACE to a child file the ACE is + inherited as normal. + When an ace with the (CI) flag alone set is + propagated to a child file there is no effect, when propagated + to a child folder it is inherited as normal. + + When an ACE that has both (OI) & (CI) flags + set the ACE is inherited as normal by both folders and + files. + +(OI)(READ) added to parent folder + ++-parent/ (OI)(READ) +| +-file.1 (I)(READ) +| +-nested/ (OI)(IO)(I)(READ) + | +-file.2 (I)(READ) + +(CI)(READ) added to parent folder + ++-parent/ (CI)(READ) +| +-file.1 +| +-nested/ (CI)(I)(READ) + | +-file.2 + +(OI)(CI)(READ) added to parent folder + ++-parent/ (OI)(CI)(READ) +| +-file.1 (I)(READ) +| +-nested/ (OI)(CI)(I)(READ) + | +-file.2 (I)(READ) + +(OI)(NP)(READ) added to parent folder + ++-oi_dir/ (OI)(NP)(READ) +| +-file.1 (I)(READ) +| +-nested/ +| +-file.2 + +(CI)(NP)(READ) added to parent folder + ++-oi_dir/ (CI)(NP)(READ) +| +-file.1 +| +-nested/ (I)(READ) +| +-file.2 + +(OI)(CI)(NP)(READ) added to parent folder + ++-parent/ (CI)(OI)(NP)(READ) +| +-file.1 (I)(READ) +| +-nested/ (I)(READ) +| +-file.2 + Files and folders with protected ACLs do not allow inheritable permissions (set with -I). Such objects will not receive ACEs flagged for inheritance with (CI) or (OI). +