mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
8c581758f6
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
349 lines
12 KiB
XML
349 lines
12 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<refentry id="smbcacls.1">
|
|
|
|
<refmeta>
|
|
<refentrytitle>smbcacls</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
<refmiscinfo class="manual">User Commands</refmiscinfo>
|
|
<refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>smbcacls</refname>
|
|
<refpurpose>Set or get ACLs on an NT file or directory names</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>smbcacls</command>
|
|
<arg choice="req">//server/share</arg>
|
|
<arg choice="req">/filename</arg>
|
|
<arg choice="opt">-D|--delete acl</arg>
|
|
<arg choice="opt">-M|--modify acl</arg>
|
|
<arg choice="opt">-a|--add acl</arg>
|
|
<arg choice="opt">-S|--set acl</arg>
|
|
<arg choice="opt">-C|--chown name</arg>
|
|
<arg choice="opt">-G|--chgrp name</arg>
|
|
<arg choice="opt">-I allow|remove|copy</arg>
|
|
<arg choice="opt">--propagate-inheritance</arg>
|
|
<arg choice="opt">--numeric</arg>
|
|
<arg choice="opt">-t</arg>
|
|
<arg choice="opt">-U username</arg>
|
|
<arg choice="opt">-d</arg>
|
|
<arg choice="opt">-e</arg>
|
|
<arg choice="opt">-m|--max-protocol LEVEL</arg>
|
|
<arg choice="opt">--query-security-info FLAGS</arg>
|
|
<arg choice="opt">--set-security-info FLAGS</arg>
|
|
<arg choice="opt">--sddl</arg>
|
|
<arg choice="opt">--domain-sid SID</arg>
|
|
<arg choice="opt">-x|--maximum-access</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
|
|
<para>The <command>smbcacls</command> program manipulates NT Access Control
|
|
Lists (ACLs) on SMB file shares. An ACL is comprised zero or more Access
|
|
Control Entries (ACEs), which define access restrictions for a specific
|
|
user or group.</para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
|
|
<para>The following options are available to the <command>smbcacls</command> program.
|
|
The format of ACLs is described in the section ACL FORMAT </para>
|
|
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-a|--add acl</term>
|
|
<listitem><para>Add the entries specified to the ACL. Existing
|
|
access control entries are unchanged.</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-M|--modify acl</term>
|
|
<listitem><para>Modify the mask value (permissions) for the ACEs
|
|
specified on the command line. An error will be printed for each
|
|
ACE specified that was not already present in the object's ACL.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-D|--delete acl</term>
|
|
<listitem><para>Delete any ACEs specified on the command line.
|
|
An error will be printed for each ACE specified that was not
|
|
already present in the object's ACL. </para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-S|--set acl</term>
|
|
<listitem><para>This command sets the ACL on the object with
|
|
only what is specified on the command line. Any existing ACL
|
|
is erased. Note that the ACL specified must contain at least a revision,
|
|
type, owner and group for the call to succeed. </para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-C|--chown name</term>
|
|
<listitem><para>The owner of a file or directory can be changed
|
|
to the name given using the <parameter>-C</parameter> option.
|
|
The name can be a sid in the form S-1-x-y-z or a name resolved
|
|
against the server specified in the first argument. </para>
|
|
|
|
<para>This command is a shortcut for -M OWNER:name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-G|--chgrp name</term>
|
|
<listitem><para>The group owner of a file or directory can
|
|
be changed to the name given using the <parameter>-G</parameter>
|
|
option. The name can be a sid in the form S-1-x-y-z or a name
|
|
resolved against the server specified n the first argument.
|
|
</para>
|
|
|
|
<para>This command is a shortcut for -M GROUP:name.</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
<term>-I|--inherit allow|remove|copy</term>
|
|
<listitem><para>Set or unset the windows "Allow inheritable
|
|
permissions" check box using the <parameter>-I</parameter>
|
|
option. To set the check box pass allow. To unset the check
|
|
box pass either remove or copy. Remove will remove all
|
|
inherited ACEs. Copy will copy all the inherited ACEs.
|
|
</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--propagate-inheritance</term>
|
|
<listitem><para>Add, modify, delete or set ACEs on an entire
|
|
directory tree according to the inheritance flags. Refer to the
|
|
INHERITANCE section for details.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--numeric</term>
|
|
<listitem><para>This option displays all ACL information in numeric
|
|
format. The default is to convert SIDs to names and ACE types
|
|
and masks to a readable string format. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-m|--max-protocol PROTOCOL_NAME</term>
|
|
<listitem><para>This allows the user to select the
|
|
highest SMB protocol level that smbcacls will use to
|
|
connect to the server. By default this is set to
|
|
NT1, which is the highest available SMB1 protocol.
|
|
To connect using SMB2 or SMB3 protocol, use the
|
|
strings SMB2 or SMB3 respectively. Note that to connect
|
|
to a Windows 2012 server with encrypted transport selecting
|
|
a max-protocol of SMB3 is required.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-t|--test-args</term>
|
|
<listitem><para>
|
|
Don't actually do anything, only validate the correctness of
|
|
the arguments.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--query-security-info FLAGS</term>
|
|
<listitem><para>The security-info flags for queries.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--set-security-info FLAGS</term>
|
|
<listitem><para>The security-info flags for queries.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--sddl</term>
|
|
<listitem><para>Output and input acls in sddl format.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--domain-sid SID</term>
|
|
<listitem><para>SID used for sddl processing.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-x|--maximum-access</term>
|
|
<listitem><para>When displaying an ACL additionally query
|
|
the server for effective maximum permissions. Note that this
|
|
is only supported with SMB protocol version 2 or higher.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
&stdarg.server.debug;
|
|
&popt.common.samba;
|
|
&popt.common.credentials;
|
|
&popt.common.connection;
|
|
&popt.autohelp;
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>ACL FORMAT</title>
|
|
|
|
<para>The format of an ACL is one or more entries separated by
|
|
either commas or newlines. An ACL entry is one of the following: </para>
|
|
|
|
<para><programlisting>
|
|
REVISION:<revision number>
|
|
OWNER:<sid or name>
|
|
GROUP:<sid or name>
|
|
ACL:<sid or name>:<type>/<flags>/<mask>
|
|
</programlisting></para>
|
|
|
|
|
|
<para>The revision of the ACL specifies the internal Windows
|
|
NT ACL revision for the security descriptor.
|
|
If not specified it defaults to 1. Using values other than 1 may
|
|
cause strange behaviour. </para>
|
|
|
|
<para>The owner and group specify the owner and group sids for the
|
|
object. If a SID in the format S-1-x-y-z is specified this is used,
|
|
otherwise the name specified is resolved using the server on which
|
|
the file or directory resides. </para>
|
|
|
|
<para>ACEs are specified with an "ACL:" prefix, and define permissions
|
|
granted to an SID. The SID again can be specified in S-1-x-y-z format
|
|
or as a name in which case it is resolved against the server on which
|
|
the file or directory resides. The type, flags and mask values
|
|
determine the type of access granted to the SID. </para>
|
|
|
|
<para>The type can be either ALLOWED or DENIED to allow/deny access
|
|
to the SID.</para>
|
|
|
|
<para>The flags field defines how the ACE should be considered when
|
|
performing inheritance. <command>smbcacls</command> uses these flags
|
|
when run with <parameter>--propagate-inheritance</parameter>.</para>
|
|
|
|
<para>Flags can be specified as decimal or hexadecimal values, or with
|
|
the respective (XX) aliases, separated by a vertical bar "|".</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>(OI)</emphasis> Object Inherit 0x1</para></listitem>
|
|
<listitem><para><emphasis>(CI)</emphasis> Container Inherit 0x2</para></listitem>
|
|
<listitem><para><emphasis>(NP)</emphasis> No Propagate Inherit 0x4</para></listitem>
|
|
<listitem><para><emphasis>(IO)</emphasis> Inherit Only 0x8</para></listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<para>The mask is a value which expresses the access right
|
|
granted to the SID. It can be given as a decimal or hexadecimal value,
|
|
or by using one of the following text strings which map to the NT
|
|
file permissions of the same name. </para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem>
|
|
<listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem>
|
|
<listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem>
|
|
<listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem>
|
|
<listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem>
|
|
<listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<para>The following combined permissions can be specified:</para>
|
|
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX'
|
|
permissions</para></listitem>
|
|
<listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions
|
|
</para></listitem>
|
|
<listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO'
|
|
permissions</para></listitem>
|
|
</itemizedlist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>INHERITANCE</title>
|
|
|
|
<para>Per-ACE inheritance flags can be set in the ACE flags field. By
|
|
default, ACEs marked for object inheritance (OI) or container
|
|
inheritance (CI) are not propagated to sub-files or folders. However,
|
|
with the <parameter>--propagate-inheritance</parameter> arguement
|
|
specified, such ACEs are recursively applied to all applicable child
|
|
objects in the directory tree.</para>
|
|
|
|
<para>Any ACEs applied to sub-files of folders are marked with the
|
|
inherited (I) flag.</para>
|
|
|
|
<para>Files and folders with protected ACLs do not allow inheritable
|
|
permissions (set with <parameter>-I</parameter>). Such objects will
|
|
not receive ACEs flagged for inheritance with (CI) or (OI).</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>EXIT STATUS</title>
|
|
|
|
<para>The <command>smbcacls</command> program sets the exit status
|
|
depending on the success or otherwise of the operations performed.
|
|
The exit status may be one of the following values. </para>
|
|
|
|
<para>If the operation succeeded, smbcacls returns and exit
|
|
status of 0. If <command>smbcacls</command> couldn't connect to the specified server,
|
|
or there was an error getting or setting the ACLs, an exit status
|
|
of 1 is returned. If there was an error parsing any command line
|
|
arguments, an exit status of 2 is returned. </para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is part of version &doc.version; of the Samba suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.</para>
|
|
|
|
<para><command>smbcacls</command> was written by Andrew Tridgell
|
|
and Tim Potter.</para>
|
|
|
|
<para>The conversion to DocBook for Samba 2.2 was done
|
|
by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done
|
|
by Alexander Bokovoy.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|