Remove the parameters:

security mask
force security mode
directory security mask
force directory security mode

and update the docs.

docs-xml/smbdotconf/security/createmask.xml

@@ -28,9 +28,8 @@
 	</para>
 
     <para>
-	Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
-	administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
-	name="security mask"/>.
+	New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control
+	over permission changes it should be set to 0777.
 	</para>
 </description>
 

docs-xml/smbdotconf/security/directorymask.xml

@@ -24,14 +24,14 @@
     created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. 
     This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
 
-    <para>Note that this parameter does not apply to permissions
-    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
-    a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
+    <para>
+    New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control
+    over permission changes it should be set to 0777.
+    </para>
 </description>
 
 <related>force directory mode</related>
 <related>create mask</related>
-<related>directory security mask</related>
 <related>inherit permissions</related>
 <value type="default">0755</value>
 <value type="example">0775</value>

docs-xml/smbdotconf/security/directorysecuritymask.xml

@@ -3,37 +3,11 @@
 				 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This parameter controls what UNIX permission bits
-    will be set when a Windows NT client is manipulating the UNIX
-    permission on a directory using the native NT security dialog
-    box.</para>
-
     <para>
-	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
-        any bits not in this mask.  Make sure not to mix up this parameter with <smbconfoption name="force
-	directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
-	Essentially, zero bits in this mask are a set of bits that will always be set to zero.
-	</para>
-
+	This parameter has been removed for Samba 4.0.0. The parameter
+	<smbconfoption name="directory mask"/> is now used instead to mask
+	any permission bit changes on directories.
     <para>
-	Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
-	file permissions regardless of the previous status of this bits on the file.
-    </para>
-
-    <para>If not set explicitly this parameter is set to 0777
-    meaning a user is allowed to set all the user/group/world
-    permissions on a directory.</para>
-
-    <para><emphasis>Note</emphasis> that users who can access the 
-    Samba server through other means can easily bypass this restriction, 
-    so it is primarily useful for standalone &quot;appliance&quot; systems.  
-    Administrators of most normal systems will probably want to leave
-	it as the default of <constant>0777</constant>.</para>
 </description>
 
-<related>force directory security mode</related>
-<related>security mask</related>
-<related>force security mode</related>
-<value type="default">0777</value>
-<value type="example">0700</value>
 </samba:parameter>

docs-xml/smbdotconf/security/forcecreatemode.xml

@@ -10,6 +10,12 @@
     mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
     parameter is applied.</para>
 
+    <para>
+    New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+    permissions are changed on a file, not just when the file is created.
+    This replaces the now removed <parameter moreinfo="none">force security mode</parameter>.
+    </para>
+
     <para>The example below would force all newly created files to have read and execute
     permissions set for 'group' and 'other' as well as the
     read/write/execute bits set for the 'user'.</para>

docs-xml/smbdotconf/security/forcedirectorymode.xml

@@ -12,6 +12,12 @@
     mask in the parameter <parameter moreinfo="none">directory mask</parameter> is 
     applied.</para>
 
+    <para>
+    New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+    permissions are changed on a directory, not just when the file is created.
+    This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>.
+    </para>
+
 	<para>The example below would force all created directories to have read and execute
     permissions set for 'group' and 'other' as well as the
     read/write/execute bits set for the 'user'.</para>

docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml

@@ -4,40 +4,10 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
-	the UNIX permission on a directory using the native NT security dialog box.
-	</para>
-
+	This parameter has been removed for Samba 4.0.0. The parameter
+	<smbconfoption name="force directory mode"/> is now used instead to
+	force any permission changes on directories to include specific UNIX
+	permission bits.
     <para>
-	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
-	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
-	name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
-	of an OR. 
-	</para>
-
-	<para>
-	Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, 
-	to will enable (1) any flags that are off (0) but which the mask has set to on (1).
-	</para>
-
-    <para>
-	If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
-	permissions on a directory without restrictions.
-	</para>
-
-    <note><para>
-	Users who can access the Samba server through other means can easily bypass this restriction, so it is
-	primarily useful for standalone &quot;appliance&quot; systems.  Administrators of most normal systems will
-	probably want to leave it set as 0000.
-	</para></note>
-
 </description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>directory security mask</related>
-<related>security mask</related>
-<related>force security mode</related>
-
 </samba:parameter>

docs-xml/smbdotconf/security/forcesecuritymode.xml

@@ -4,38 +4,10 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating 
-    the UNIX permission on a file using the native NT security dialog box.
-	</para>
-		
-    <para>
-	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
-	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
-	name="security mask"/>, which works similar like this one but uses logical AND instead of OR. 
-	</para>
-
-	<para>
-	Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
-	the user has always set to be on.
-	</para>
-
-    <para>
-	If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
-	permissions on a file, with no restrictions.
-	</para>
-		
-    <para><emphasis>
-	Note</emphasis> that users who can access the Samba server through other means can easily bypass this
-	restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of most
-	normal systems will probably want to leave this set to 0000.
-	</para>
-
+	This parameter has been removed for Samba 4.0.0. The parameter
+	<smbconfoption name="force create mode"/> is now used instead to
+	force any permission changes on files to include specific UNIX
+	permission bits.
+    </para>
 </description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>security mask</related>
 </samba:parameter>

docs-xml/smbdotconf/security/securitymask.xml

@@ -4,36 +4,9 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
-	UNIX permission on a file using the native NT security dialog box.
-	</para>
-
-    <para>
-	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
-	any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
-	security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. 
-	</para>
-
-    <para>
-	Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
-	file permissions regardless of the previous status of this bits on the file.
+	This parameter has been removed for Samba 4.0.0. The parameter
+	<smbconfoption name="create mask"/> is now used instead to mask
+	any permission bit changes on files.
     </para>
-
-    <para>
-	If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
-    </para>
-
-    <para><emphasis>
-	Note</emphasis> that users who can access the Samba server through other means can easily bypass this 
-    restriction, so it is primarily useful for standalone &quot;appliance&quot; systems.  Administrators of
-	most normal systems will probably want to leave it set to <constant>0777</constant>.
-	</para>
 </description>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>force security mode</related>
-
-<value type="default">0777</value>
-<value type="example">0770</value>
 </samba:parameter>

examples/scripts/shares/python/smbparm.py

@@ -89,7 +89,6 @@ parm_table = {
 	"ROOTPREEXEC"            : ("root preexec", SambaParmString, P_LOCAL, ""),
 	"WRITEOK"                : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
 	"MAXLOGSIZE"             : ("max log size", SambaParmString, P_GLOBAL, "5000"),
-	"FORCESECURITYMODE"      : ("force security mode", SambaParmString, P_LOCAL, "00"),
 	"VFSOBJECT"              : ("vfs objects", SambaParmString, P_LOCAL, ""),
 	"CHECKPASSWORDSCRIPT"    : ("check password script", SambaParmString, P_GLOBAL, ""),
 	"DELETEPRINTERCOMMAND"   : ("deleteprinter command", SambaParmString, P_GLOBAL, ""),
@@ -102,7 +101,6 @@ parm_table = {
 	"DOSFILEMODE"            : ("dos filemode", SambaParmBool, P_LOCAL, "No"),
 	"LOGFILE"                : ("log file", SambaParmString, P_GLOBAL, ""),
 	"WORKGROUP"              : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"),
-	"DIRECTORYSECURITYMASK"  : ("directory security mask", SambaParmString, P_LOCAL, "0777"),
 	"ENCRYPTPASSWORDS"       : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"),
 	"PRINTABLE"              : ("printable", SambaParmBool, P_LOCAL, "No"),
 	"MAXPROTOCOL"            : ("max protocol", SambaParmString, P_GLOBAL, "NT1"),
@@ -147,7 +145,6 @@ parm_table = {
 	"LEVEL2OPLOCKS"          : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"),
 	"LARGEREADWRITE"         : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"),
 	"LDAPREPLICATIONSLEEP"   : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"),
-	"SECURITYMASK"           : ("security mask", SambaParmString, P_LOCAL, "0777"),
 	"LDAPUSERSUFFIX"         : ("ldap user suffix", SambaParmString, P_GLOBAL, ""),
 	"NETBIOSNAME"            : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"),
 	"LOCKSPINCOUNT"          : ("lock spin count", SambaParmString, P_GLOBAL, "3"),
@@ -184,7 +181,6 @@ parm_table = {
 	"POSIXLOCKING"           : ("posix locking", SambaParmBool, P_LOCAL, "Yes"),
 	"INCLUDE"                : ("include", SambaParmString, P_LOCAL, ""),
 	"ALGORITHMICRIDBASE"     : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"),
-	"FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"),
 	"ANNOUNCEVERSION"        : ("announce version", SambaParmString, P_GLOBAL, "4.9"),
 	"USERNAMEMAP"            : ("username map", SambaParmString, P_GLOBAL, ""),
 	"MANGLEDNAMES"           : ("mangled names", SambaParmBool, P_LOCAL, "Yes"),

lib/param/param_functions.c

@@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share)
 FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions)
 FN_LOCAL_BOOL(acl_group_control, bAclGroupControl)
 FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl)
-FN_LOCAL_INTEGER(security_mask, iSecurity_mask)
-FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode)
-FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask)
-FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode)
 FN_LOCAL_INTEGER(defaultcase, iDefaultCase)
 FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace)
 FN_LOCAL_INTEGER(printing, iPrinting)

lib/param/param_table.c

@@ -956,24 +956,6 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
 	},
-	{
-		.label		= "security mask",
-		.type		= P_OCTAL,
-		.p_class	= P_LOCAL,
-		.offset		= LOCAL_VAR(iSecurity_mask),
-		.special	= NULL,
-		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
-	},
-	{
-		.label		= "force security mode",
-		.type		= P_OCTAL,
-		.p_class	= P_LOCAL,
-		.offset		= LOCAL_VAR(iSecurity_force_mode),
-		.special	= NULL,
-		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
-	},
 	{
 		.label		= "directory mask",
 		.type		= P_OCTAL,
@@ -1001,24 +983,6 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
 	},
-	{
-		.label		= "directory security mask",
-		.type		= P_OCTAL,
-		.p_class	= P_LOCAL,
-		.offset		= LOCAL_VAR(iDir_Security_mask),
-		.special	= NULL,
-		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
-	},
-	{
-		.label		= "force directory security mode",
-		.type		= P_OCTAL,
-		.p_class	= P_LOCAL,
-		.offset		= LOCAL_VAR(iDir_Security_force_mode),
-		.special	= NULL,
-		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
-	},
 	{
 		.label		= "force unknown acl user",
 		.type		= P_BOOL,

source3/include/proto.h

@@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int );
 bool lp_durable_handles(int);
 int lp_create_mask(int );
 int lp_force_create_mode(int );
-int lp_security_mask(int );
-int lp_force_security_mode(int );
 int lp_dir_mask(int );
 int lp_force_dir_mode(int );
-int lp_dir_security_mask(int );
-int lp_force_dir_security_mode(int );
 int lp_max_connections(int );
 int lp_defaultcase(int );
 int lp_minprintspace(int );

source3/param/loadparm.c

@@ -191,12 +191,8 @@ static struct loadparm_service sDefault =
 	.iWriteCacheSize = 0,
 	.iCreate_mask = 0744,
 	.iCreate_force_mode = 0,
-	.iSecurity_mask = 0777,
-	.iSecurity_force_mode = 0,
 	.iDir_mask = 0755,
 	.iDir_force_mode = 0,
-	.iDir_Security_mask = 0777,
-	.iDir_Security_force_mode = 0,
 	.iMaxConnections = 0,
 	.iDefaultCase = CASE_LOWER,
 	.iPrinting = DEFAULT_PRINTING,