From 4f5791ebd03eaec1c7da0865a383175b05102712 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 5 May 2024 19:47:29 +0200 Subject: Adding upstream version 2:4.17.12+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/manpages/smbcacls.1.xml | 456 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 456 insertions(+) create mode 100644 docs-xml/manpages/smbcacls.1.xml (limited to 'docs-xml/manpages/smbcacls.1.xml') diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml new file mode 100644 index 0000000..ef504b4 --- /dev/null +++ b/docs-xml/manpages/smbcacls.1.xml @@ -0,0 +1,456 @@ + + + + + + smbcacls + 1 + Samba + User Commands + &doc.version; + + + + + smbcacls + Set or get ACLs on an NT file or directory names + + + + + smbcacls + //server/share + /filename + + -D|--delete=ACL + -M|--modify=ACL + -a|--add=ACL + -S|--set=ACLS + -C|--chown=USERNAME + -G|--chgrp=GROUPNAME + -I|--inherit=STRING + --propagate-inheritance + --numeric + --sddl + --query-security-info=INT + --set-security-info=INT + -t|--test-args + --domain-sid=SID + -x|--maximum-access + -?|--help + --usage + -d|--debuglevel=DEBUGLEVEL + --debug-stdout + --configfile=CONFIGFILE + --option=name=value + -l|--log-basename=LOGFILEBASE + --leak-report + --leak-report-full + -R|--name-resolve=NAME-RESOLVE-ORDER + -O|--socket-options=SOCKETOPTIONS + -m|--max-protocol=MAXPROTOCOL + -n|--netbiosname=NETBIOSNAME + --netbios-scope=SCOPE + -W|--workgroup=WORKGROUP + --realm=REALM + -U|--user=[DOMAIN/]USERNAME[%PASSWORD] + -N|--no-pass + --password=STRING + --pw-nt-hash + -A|--authentication-file=FILE + -P|--machine-pass + --simple-bind-dn=DN + --use-kerberos=desired|required|off + --use-krb5-ccache=CCACHE + --use-winbind-ccache + --client-protection=sign|encrypt|off + -V|--version + + + + + DESCRIPTION + + This tool is part of the samba + 7 suite. + + The smbcacls program manipulates NT Access Control + Lists (ACLs) on SMB file shares. An ACL is comprised zero or more Access + Control Entries (ACEs), which define access restrictions for a specific + user or group. + + + + + OPTIONS + + The following options are available to the smbcacls program. + The format of ACLs is described in the section ACL FORMAT + + + + + -a|--add acl + Add the entries specified to the ACL. Existing + access control entries are unchanged. + + + + + + -M|--modify acl + Modify the mask value (permissions) for the ACEs + specified on the command line. An error will be printed for each + ACE specified that was not already present in the object's ACL. + + + + + + + -D|--delete acl + Delete any ACEs specified on the command line. + An error will be printed for each ACE specified that was not + already present in the object's ACL. + + + + + + -S|--set acl + This command sets the ACL on the object with + only what is specified on the command line. Any existing ACL + is erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. + + + + + + -C|--chown name + The owner of a file or directory can be changed + to the name given using the -C option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. + + This command is a shortcut for -M OWNER:name. + + + + + + + -G|--chgrp name + The group owner of a file or directory can + be changed to the name given using the -G + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + + + This command is a shortcut for -M GROUP:name. + + + + + + -I|--inherit allow|remove|copy + Set or unset the windows "Allow inheritable + permissions" check box using the -I + option. To set the check box pass allow. To unset the check + box pass either remove or copy. Remove will remove all + inherited ACEs. Copy will copy all the inherited ACEs. + + + + + + --propagate-inheritance + Add, modify, delete or set ACEs on an entire + directory tree according to the inheritance flags. Refer to the + INHERITANCE section for details. + + + + + --numeric + This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. + + + + -m|--max-protocol PROTOCOL_NAME + This allows the user to select the + highest SMB protocol level that smbcacls will use to + connect to the server. By default this is set to + NT1, which is the highest available SMB1 protocol. + To connect using SMB2 or SMB3 protocol, use the + strings SMB2 or SMB3 respectively. Note that to connect + to a Windows 2012 server with encrypted transport selecting + a max-protocol of SMB3 is required. + + + + + -t|--test-args + + Don't actually do anything, only validate the correctness of + the arguments. + + + + + --query-security-info FLAGS + The security-info flags for queries. + + + + + --set-security-info FLAGS + The security-info flags for queries. + + + + + --sddl + Output and input acls in sddl format. + + + + + --domain-sid SID + SID used for sddl processing. + + + + + -x|--maximum-access + When displaying an ACL additionally query + the server for effective maximum permissions. Note that this + is only supported with SMB protocol version 2 or higher. + + + + &popt.autohelp; + &cmdline.common.samba.client; + &cmdline.common.connection; + &cmdline.common.credentials; + + + + + + ACL FORMAT + + The format of an ACL is one or more entries separated by + either commas or newlines. An ACL entry is one of the following: + + +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> + + + Control bits related to automatic inheritance + + + + OD - "Owner Defaulted" - Indicates that the SID of the owner of the security descriptor was provided by a default mechanism. + GD - "Group Defaulted" - Indicates that the SID of the security descriptor group was provided by a default mechanism. + DP - "DACL Present" - Indicates a security descriptor that has a discretionary access control list (DACL). + DD - "DACL Defaulted" - Indicates a security descriptor with a default DACL. + SP - "SACL Present" - Indicates a security descriptor that has a system access control list (SACL). + SD - "SACL Defaulted" - A default mechanism, rather than the original provider of the security descriptor, provided the SACL. + DT - "DACL Trusted" + SS - "Server Security" + DR - "DACL Inheritance Required" - Indicates a required security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. + SR - "SACL Inheritance Required" - Indicates a required security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. + DI - "DACL Auto Inherited" - Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. + SI - "SACL Auto Inherited" - Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. + PD - "DACL Protected" - Prevents the DACL of the security descriptor from being modified by inheritable ACEs. + PS - "SACL Protected" - Prevents the SACL of the security descriptor from being modified by inheritable ACEs. + RM - "RM Control Valid" - Indicates that the resource manager control is valid. + SR - "Self Relative" - Indicates a self-relative security descriptor. + + + The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. + + The owner and group specify the owner and group sids for the + object. If a SID in the format S-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. + + ACEs are specified with an "ACL:" prefix, and define permissions + granted to an SID. The SID again can be specified in S-1-x-y-z format + or as a name in which case it is resolved against the server on which + the file or directory resides. The type, flags and mask values + determine the type of access granted to the SID. + + The type can be either ALLOWED or DENIED to allow/deny access + to the SID. + + The flags field defines how the ACE should be considered when + performing inheritance. smbcacls uses these flags + when run with --propagate-inheritance. + + Flags can be specified as decimal or hexadecimal values, or with + the respective (XX) aliases, separated by a vertical bar "|". + + + (OI) Object Inherit 0x1 + (CI) Container Inherit 0x2 + (NP) No Propagate Inherit 0x4 + (IO) Inherit Only 0x8 + (I) ACE was inherited 0x10 + + + + The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. + + + R - Allow read access + W - Allow write access + X - Execute permission on the object + D - Delete the object + P - Change permissions + O - Take ownership + + + + The following combined permissions can be specified: + + + + READ - Equivalent to 'RX' + permissions + CHANGE - Equivalent to 'RXWD' permissions + + FULL - Equivalent to 'RWXDPO' + permissions + + + + + INHERITANCE + + Per-ACE inheritance flags can be set in the ACE flags field. By + default, inheritable ACEs e.g. those marked for object inheritance (OI) + or container inheritance (CI), are not propagated to sub-files or + folders. However, with the + --propagate-inheritance argument specified, such + ACEs are automatically propagated according to some inheritance + rules. + + Inheritable (OI)(OI) ACE flags can only be + applied to folders. + Any inheritable ACEs applied to sub-files or + folders are marked with the inherited (I) flag. Inheritable + ACE(s) are applied to folders unless the no propagation (NP) + flag is set. + + When an ACE with the (OI) flag alone set is + propagated to a child folder the inheritance only flag (IO) is + also applied. This indicates the permissions associated with + the ACE don't apply to the folder itself (only to it's + child files). When applying the ACE to a child file the ACE is + inherited as normal. + When an ace with the (CI) flag alone set is + propagated to a child file there is no effect, when propagated + to a child folder it is inherited as normal. + + When an ACE that has both (OI) & (CI) flags + set the ACE is inherited as normal by both folders and + files. + +(OI)(READ) added to parent folder + ++-parent/ (OI)(READ) +| +-file.1 (I)(READ) +| +-nested/ (OI)(IO)(I)(READ) + | +-file.2 (I)(READ) + +(CI)(READ) added to parent folder + ++-parent/ (CI)(READ) +| +-file.1 +| +-nested/ (CI)(I)(READ) + | +-file.2 + +(OI)(CI)(READ) added to parent folder + ++-parent/ (OI)(CI)(READ) +| +-file.1 (I)(READ) +| +-nested/ (OI)(CI)(I)(READ) + | +-file.2 (I)(READ) + +(OI)(NP)(READ) added to parent folder + ++-oi_dir/ (OI)(NP)(READ) +| +-file.1 (I)(READ) +| +-nested/ +| +-file.2 + +(CI)(NP)(READ) added to parent folder + ++-oi_dir/ (CI)(NP)(READ) +| +-file.1 +| +-nested/ (I)(READ) +| +-file.2 + +(OI)(CI)(NP)(READ) added to parent folder + ++-parent/ (CI)(OI)(NP)(READ) +| +-file.1 (I)(READ) +| +-nested/ (I)(READ) +| +-file.2 + + Files and folders with protected ACLs do not allow inheritable + permissions (set with -I). Such objects will + not receive ACEs flagged for inheritance with (CI) or (OI). + + + + + EXIT STATUS + + The smbcacls program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. + + If the operation succeeded, smbcacls returns and exit + status of 0. If smbcacls couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. + + + + VERSION + + This man page is part of version &doc.version; of the Samba suite. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + smbcacls was written by Andrew Tridgell + and Tim Potter. + + The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done + by Alexander Bokovoy. + + + -- cgit v1.2.3