mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
520e3ac06d
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
483 lines
19 KiB
XML
483 lines
19 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<refentry id="smbcacls.1">
|
|
|
|
<refmeta>
|
|
<refentrytitle>smbcacls</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
<refmiscinfo class="manual">User Commands</refmiscinfo>
|
|
<refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>smbcacls</refname>
|
|
<refpurpose>Set or get ACLs on an NT file or directory names</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>smbcacls</command>
|
|
<arg choice="req">//server/share</arg>
|
|
<arg choice="req">/filename</arg>
|
|
|
|
<arg choice="opt">-D|--delete=ACL</arg>
|
|
<arg choice="opt">-M|--modify=ACL</arg>
|
|
<arg choice="opt">-a|--add=ACL</arg>
|
|
<arg choice="opt">-S|--set=ACLS</arg>
|
|
<arg choice="opt">-C|--chown=USERNAME</arg>
|
|
<arg choice="opt">-G|--chgrp=GROUPNAME</arg>
|
|
<arg choice="opt">-I|--inherit=STRING</arg>
|
|
<arg choice="opt">--recurse</arg>
|
|
<arg choice="opt">--propagate-inheritance</arg>
|
|
<arg choice="opt">--save=savefile</arg>
|
|
<arg choice="opt">--restore=restorefile</arg>
|
|
<arg choice="opt">--numeric</arg>
|
|
<arg choice="opt">--sddl</arg>
|
|
<arg choice="opt">--query-security-info=INT</arg>
|
|
<arg choice="opt">--set-security-info=INT</arg>
|
|
<arg choice="opt">-t|--test-args</arg>
|
|
<arg choice="opt">--domain-sid=SID</arg>
|
|
<arg choice="opt">-x|--maximum-access</arg>
|
|
<arg choice="opt">-?|--help</arg>
|
|
<arg choice="opt">--usage</arg>
|
|
<arg choice="opt">-d|--debuglevel=DEBUGLEVEL</arg>
|
|
<arg choice="opt">--debug-stdout</arg>
|
|
<arg choice="opt">--configfile=CONFIGFILE</arg>
|
|
<arg choice="opt">--option=name=value</arg>
|
|
<arg choice="opt">-l|--log-basename=LOGFILEBASE</arg>
|
|
<arg choice="opt">--leak-report</arg>
|
|
<arg choice="opt">--leak-report-full</arg>
|
|
<arg choice="opt">-R|--name-resolve=NAME-RESOLVE-ORDER</arg>
|
|
<arg choice="opt">-O|--socket-options=SOCKETOPTIONS</arg>
|
|
<arg choice="opt">-m|--max-protocol=MAXPROTOCOL</arg>
|
|
<arg choice="opt">-n|--netbiosname=NETBIOSNAME</arg>
|
|
<arg choice="opt">--netbios-scope=SCOPE</arg>
|
|
<arg choice="opt">-W|--workgroup=WORKGROUP</arg>
|
|
<arg choice="opt">--realm=REALM</arg>
|
|
<arg choice="opt">-U|--user=[DOMAIN/]USERNAME[%PASSWORD]</arg>
|
|
<arg choice="opt">-N|--no-pass</arg>
|
|
<arg choice="opt">--password=STRING</arg>
|
|
<arg choice="opt">--pw-nt-hash</arg>
|
|
<arg choice="opt">-A|--authentication-file=FILE</arg>
|
|
<arg choice="opt">-P|--machine-pass</arg>
|
|
<arg choice="opt">--simple-bind-dn=DN</arg>
|
|
<arg choice="opt">--use-kerberos=desired|required|off</arg>
|
|
<arg choice="opt">--use-krb5-ccache=CCACHE</arg>
|
|
<arg choice="opt">--use-winbind-ccache</arg>
|
|
<arg choice="opt">--client-protection=sign|encrypt|off</arg>
|
|
<arg choice="opt">-V|--version</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
|
|
<para>The <command>smbcacls</command> program manipulates NT Access Control
|
|
Lists (ACLs) on SMB file shares. An ACL comprises zero or more Access
|
|
Control Entries (ACEs), which define access restrictions for a specific
|
|
user or group.</para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
|
|
<para>The following options are available to the <command>smbcacls</command> program.
|
|
The format of ACLs is described in the section ACL FORMAT </para>
|
|
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-a|--add acl</term>
|
|
<listitem><para>Add the entries specified to the ACL. Existing
|
|
access control entries are unchanged.</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-M|--modify acl</term>
|
|
<listitem><para>Modify the mask value (permissions) for the ACEs
|
|
specified on the command line. An error will be printed for each
|
|
ACE specified that was not already present in the object's ACL.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-D|--delete acl</term>
|
|
<listitem><para>Delete any ACEs specified on the command line.
|
|
An error will be printed for each ACE specified that was not
|
|
already present in the object's ACL. </para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-S|--set acl</term>
|
|
<listitem><para>This command sets the ACL on the object with
|
|
only what is specified on the command line. Any existing ACL
|
|
is erased. Note that the ACL specified must contain at least a revision,
|
|
type, owner and group for the call to succeed. </para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-C|--chown name</term>
|
|
<listitem><para>The owner of a file or directory can be changed
|
|
to the name given using the <parameter>-C</parameter> option.
|
|
The name can be a sid in the form S-1-x-y-z or a name resolved
|
|
against the server specified in the first argument. </para>
|
|
|
|
<para>This command is a shortcut for -M OWNER:name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-G|--chgrp name</term>
|
|
<listitem><para>The group owner of a file or directory can
|
|
be changed to the name given using the <parameter>-G</parameter>
|
|
option. The name can be a sid in the form S-1-x-y-z or a name
|
|
resolved against the server specified n the first argument.
|
|
</para>
|
|
|
|
<para>This command is a shortcut for -M GROUP:name.</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-I|--inherit allow|remove|copy</term>
|
|
<listitem><para>Set or unset the windows "Allow inheritable
|
|
permissions" check box using the <parameter>-I</parameter>
|
|
option. To set the check box pass allow. To unset the check
|
|
box pass either remove or copy. Remove will remove all
|
|
inherited ACEs. Copy will copy all the inherited ACEs.
|
|
</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--propagate-inheritance</term>
|
|
<listitem><para>Add, modify, delete or set ACEs on an entire
|
|
directory tree according to the inheritance flags. Refer to the
|
|
INHERITANCE section for details.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--save savefile</term>
|
|
<listitem><para> stores the DACLs in sddl format
|
|
of the specified file or folder for later use with restore.
|
|
SACLS, owner or integrity labels are not stored.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--restore savefile</term>
|
|
<listitem><para> applies the stored DACLS to files in
|
|
directory.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--recurse</term>
|
|
<listitem><para> indicates the operation is performed on
|
|
directory and all files/directories below. (only applies
|
|
to save option)
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--numeric</term>
|
|
<listitem><para>This option displays all ACL information in numeric
|
|
format. The default is to convert SIDs to names and ACE types
|
|
and masks to a readable string format. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-m|--max-protocol PROTOCOL_NAME</term>
|
|
<listitem><para>This allows the user to select the
|
|
highest SMB protocol level that smbcacls will use to
|
|
connect to the server. By default this is set to
|
|
NT1, which is the highest available SMB1 protocol.
|
|
To connect using SMB2 or SMB3 protocol, use the
|
|
strings SMB2 or SMB3 respectively. Note that to connect
|
|
to a Windows 2012 server with encrypted transport selecting
|
|
a max-protocol of SMB3 is required.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-t|--test-args</term>
|
|
<listitem><para>
|
|
Don't actually do anything, only validate the correctness of
|
|
the arguments.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--query-security-info FLAGS</term>
|
|
<listitem><para>The security-info flags for queries.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--set-security-info FLAGS</term>
|
|
<listitem><para>The security-info flags for queries.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--sddl</term>
|
|
<listitem><para>Output and input acls in sddl format.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--domain-sid SID</term>
|
|
<listitem><para>SID used for sddl processing.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-x|--maximum-access</term>
|
|
<listitem><para>When displaying an ACL additionally query
|
|
the server for effective maximum permissions. Note that this
|
|
is only supported with SMB protocol version 2 or higher.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
&popt.autohelp;
|
|
&cmdline.common.samba.client;
|
|
&cmdline.common.connection;
|
|
&cmdline.common.credentials;
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>ACL FORMAT</title>
|
|
|
|
<para>The format of an ACL is one or more entries separated by
|
|
either commas or newlines. An ACL entry is one of the following: </para>
|
|
|
|
<para><programlisting>
|
|
REVISION:<revision number>
|
|
OWNER:<sid or name>
|
|
GROUP:<sid or name>
|
|
ACL:<sid or name>:<type>/<flags>/<mask>
|
|
</programlisting></para>
|
|
|
|
<para>Control bits related to automatic inheritance</para>
|
|
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>OD</emphasis> - "Owner Defaulted" - Indicates that the SID of the owner of the security descriptor was provided by a default mechanism.</para></listitem>
|
|
<listitem><para><emphasis>GD</emphasis> - "Group Defaulted" - Indicates that the SID of the security descriptor group was provided by a default mechanism.</para></listitem>
|
|
<listitem><para><emphasis>DP</emphasis> - "DACL Present" - Indicates a security descriptor that has a discretionary access control list (DACL).</para></listitem>
|
|
<listitem><para><emphasis>DD</emphasis> - "DACL Defaulted" - Indicates a security descriptor with a default DACL.</para></listitem>
|
|
<listitem><para><emphasis>SP</emphasis> - "SACL Present" - Indicates a security descriptor that has a system access control list (SACL).</para></listitem>
|
|
<listitem><para><emphasis>SD</emphasis> - "SACL Defaulted" - A default mechanism, rather than the original provider of the security descriptor, provided the SACL.</para></listitem>
|
|
<listitem><para><emphasis>DT</emphasis> - "DACL Trusted"</para></listitem>
|
|
<listitem><para><emphasis>SS</emphasis> - "Server Security"</para></listitem>
|
|
<listitem><para><emphasis>DR</emphasis> - "DACL Inheritance Required" - Indicates a required security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects.</para></listitem>
|
|
<listitem><para><emphasis>SR</emphasis> - "SACL Inheritance Required" - Indicates a required security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects.</para></listitem>
|
|
<listitem><para><emphasis>DI</emphasis> - "DACL Auto Inherited" - Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects.</para></listitem>
|
|
<listitem><para><emphasis>SI</emphasis> - "SACL Auto Inherited" - Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects.</para></listitem>
|
|
<listitem><para><emphasis>PD</emphasis> - "DACL Protected" - Prevents the DACL of the security descriptor from being modified by inheritable ACEs.</para></listitem>
|
|
<listitem><para><emphasis>PS</emphasis> - "SACL Protected" - Prevents the SACL of the security descriptor from being modified by inheritable ACEs.</para></listitem>
|
|
<listitem><para><emphasis>RM</emphasis> - "RM Control Valid" - Indicates that the resource manager control is valid.</para></listitem>
|
|
<listitem><para><emphasis>SR</emphasis> - "Self Relative" - Indicates a self-relative security descriptor.</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The revision of the ACL specifies the internal Windows
|
|
NT ACL revision for the security descriptor.
|
|
If not specified it defaults to 1. Using values other than 1 may
|
|
cause strange behaviour. </para>
|
|
|
|
<para>The owner and group specify the owner and group sids for the
|
|
object. If a SID in the format S-1-x-y-z is specified this is used,
|
|
otherwise the name specified is resolved using the server on which
|
|
the file or directory resides. </para>
|
|
|
|
<para>ACEs are specified with an "ACL:" prefix, and define permissions
|
|
granted to an SID. The SID again can be specified in S-1-x-y-z format
|
|
or as a name in which case it is resolved against the server on which
|
|
the file or directory resides. The type, flags and mask values
|
|
determine the type of access granted to the SID. </para>
|
|
|
|
<para>The type can be either ALLOWED or DENIED to allow/deny access
|
|
to the SID.</para>
|
|
|
|
<para>The flags field defines how the ACE should be considered when
|
|
performing inheritance. <command>smbcacls</command> uses these flags
|
|
when run with <parameter>--propagate-inheritance</parameter>.</para>
|
|
|
|
<para>Flags can be specified as decimal or hexadecimal values, or with
|
|
the respective (XX) aliases, separated by a vertical bar "|".</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>(OI)</emphasis> Object Inherit 0x1</para></listitem>
|
|
<listitem><para><emphasis>(CI)</emphasis> Container Inherit 0x2</para></listitem>
|
|
<listitem><para><emphasis>(NP)</emphasis> No Propagate Inherit 0x4</para></listitem>
|
|
<listitem><para><emphasis>(IO)</emphasis> Inherit Only 0x8</para></listitem>
|
|
<listitem><para><emphasis>(I)</emphasis> ACE was inherited 0x10</para></listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<para>The mask is a value which expresses the access right
|
|
granted to the SID. It can be given as a decimal or hexadecimal value,
|
|
or by using one of the following text strings which map to the NT
|
|
file permissions of the same name. </para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem>
|
|
<listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem>
|
|
<listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem>
|
|
<listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem>
|
|
<listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem>
|
|
<listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<para>The following combined permissions can be specified:</para>
|
|
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX'
|
|
permissions</para></listitem>
|
|
<listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions
|
|
</para></listitem>
|
|
<listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO'
|
|
permissions</para></listitem>
|
|
</itemizedlist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>INHERITANCE</title>
|
|
|
|
<para>Per-ACE inheritance flags can be set in the ACE flags field. By
|
|
default, inheritable ACEs e.g. those marked for object inheritance (OI)
|
|
or container inheritance (CI), are not propagated to sub-files or
|
|
folders. However, with the
|
|
<parameter>--propagate-inheritance</parameter> argument specified, such
|
|
ACEs are automatically propagated according to some inheritance
|
|
rules.
|
|
<itemizedlist>
|
|
<listitem><para>Inheritable (OI)(OI) ACE flags can only be
|
|
applied to folders. </para></listitem>
|
|
<listitem><para>Any inheritable ACEs applied to sub-files or
|
|
folders are marked with the inherited (I) flag. Inheritable
|
|
ACE(s) are applied to folders unless the no propagation (NP)
|
|
flag is set. </para>
|
|
</listitem>
|
|
<listitem><para>When an ACE with the (OI) flag alone set is
|
|
propagated to a child folder the inheritance only flag (IO) is
|
|
also applied. This indicates the permissions associated with
|
|
the ACE don't apply to the folder itself (only to it's
|
|
child files). When applying the ACE to a child file the ACE is
|
|
inherited as normal.</para></listitem>
|
|
<listitem><para>When an ace with the (CI) flag alone set is
|
|
propagated to a child file there is no effect, when propagated
|
|
to a child folder it is inherited as normal.
|
|
</para></listitem>
|
|
<listitem><para>When an ACE that has both (OI) & (CI) flags
|
|
set the ACE is inherited as normal by both folders and
|
|
files.</para></listitem>
|
|
</itemizedlist></para>
|
|
<para>(OI)(READ) added to parent folder</para>
|
|
<para><programlisting>
|
|
+-parent/ (OI)(READ)
|
|
| +-file.1 (I)(READ)
|
|
| +-nested/ (OI)(IO)(I)(READ)
|
|
| +-file.2 (I)(READ)
|
|
</programlisting></para>
|
|
<para>(CI)(READ) added to parent folder</para>
|
|
<para><programlisting>
|
|
+-parent/ (CI)(READ)
|
|
| +-file.1
|
|
| +-nested/ (CI)(I)(READ)
|
|
| +-file.2
|
|
</programlisting></para>
|
|
<para>(OI)(CI)(READ) added to parent folder</para>
|
|
<para><programlisting>
|
|
+-parent/ (OI)(CI)(READ)
|
|
| +-file.1 (I)(READ)
|
|
| +-nested/ (OI)(CI)(I)(READ)
|
|
| +-file.2 (I)(READ)
|
|
</programlisting></para>
|
|
<para>(OI)(NP)(READ) added to parent folder</para>
|
|
<para><programlisting>
|
|
+-oi_dir/ (OI)(NP)(READ)
|
|
| +-file.1 (I)(READ)
|
|
| +-nested/
|
|
| +-file.2
|
|
</programlisting></para>
|
|
<para>(CI)(NP)(READ) added to parent folder</para>
|
|
<para><programlisting>
|
|
+-oi_dir/ (CI)(NP)(READ)
|
|
| +-file.1
|
|
| +-nested/ (I)(READ)
|
|
| +-file.2
|
|
</programlisting></para>
|
|
<para>(OI)(CI)(NP)(READ) added to parent folder</para>
|
|
<para><programlisting>
|
|
+-parent/ (CI)(OI)(NP)(READ)
|
|
| +-file.1 (I)(READ)
|
|
| +-nested/ (I)(READ)
|
|
| +-file.2
|
|
</programlisting></para>
|
|
<para>Files and folders with protected ACLs do not allow inheritable
|
|
permissions (set with <parameter>-I</parameter>). Such objects will
|
|
not receive ACEs flagged for inheritance with (CI) or (OI).</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>EXIT STATUS</title>
|
|
|
|
<para>The <command>smbcacls</command> program sets the exit status
|
|
depending on the success or otherwise of the operations performed.
|
|
The exit status may be one of the following values. </para>
|
|
|
|
<para>If the operation succeeded, smbcacls returns and exit
|
|
status of 0. If <command>smbcacls</command> couldn't connect to the specified server,
|
|
or there was an error getting or setting the ACLs, an exit status
|
|
of 1 is returned. If there was an error parsing any command line
|
|
arguments, an exit status of 2 is returned. </para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is part of version &doc.version; of the Samba suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.</para>
|
|
|
|
<para><command>smbcacls</command> was written by Andrew Tridgell
|
|
and Tim Potter.</para>
|
|
|
|
<para>The conversion to DocBook for Samba 2.2 was done
|
|
by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done
|
|
by Alexander Bokovoy.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|