summaryrefslogtreecommitdiffstats
path: root/docs-xml/manpages/vfs_acl_xattr.8.xml
blob: 5a26359fa26b72a31a7d2026037f78aca1e37d04 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="vfs_acl_xattr.8">

<refmeta>
	<refentrytitle>vfs_acl_xattr</refentrytitle>
	<manvolnum>8</manvolnum>
	<refmiscinfo class="source">Samba</refmiscinfo>
	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
	<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>


<refnamediv>
	<refname>vfs_acl_xattr</refname>
	<refpurpose>Save NTFS-ACLs in Extended Attributes (EAs)</refpurpose>
</refnamediv>

<refsynopsisdiv>
	<cmdsynopsis>
		<command>vfs objects = acl_xattr</command>
	</cmdsynopsis>
</refsynopsisdiv>

<refsect1>
	<title>DESCRIPTION</title>

	<para>This VFS module is part of the
	<citerefentry><refentrytitle>samba</refentrytitle>
	<manvolnum>7</manvolnum></citerefentry> suite.</para>

	<para>The <command>vfs_acl_xattr</command> VFS module stores
	NTFS Access Control Lists (ACLs) in Extended Attributes (EAs).
	This enables the full mapping of Windows ACLs on Samba
	servers.
	</para>

	<para>The ACLs are stored in the Extended Attribute
	<parameter>security.NTACL</parameter> of a file or directory.
	This Attribute is <emphasis>not</emphasis> listed by
	<command>getfattr -d <filename>filename</filename></command>.
	To show the current value, the name of the EA must be specified
	(e.g. <command>getfattr -n security.NTACL <filename>filename</filename>
	</command>).
	</para>

	<para>
	This module forces the following parameters:
	<itemizedlist>
	<listitem><para>inherit acls = true</para></listitem>
	<listitem><para>dos filemode = true</para></listitem>
	<listitem><para>force unknown acl user = true</para></listitem>
	</itemizedlist>
	</para>

	<para>This module is stackable.</para>
</refsect1>

<refsect1>
	<title>OPTIONS</title>

	<variablelist>
		<!-- please keep in sync with the other acl vfs modules that provide the same options -->
		<varlistentry>
		<term>acl_xattr:security_acl_name = NAME</term>
		<listitem>
		<para>
                This option allows to redefine the default location for the
                NTACL extended attribute (xattr). If not set, NTACL xattrs are
                written to security.NTACL which is a protected location, which
                means the content of the security.NTACL attribute is not
                accessible from normal users outside of Samba. When this option
                is set to use a user-defined value, e.g. user.NTACL then any
                user can potentially access and overwrite this information. The
                module prevents access to this xattr over SMB, but the xattr may
                still be accessed by other means (eg local access, SSH, NFS). This option must only be used
                when this consequence is clearly understood and when specific precautions
                are taken to avoid compromising the ACL content.
		</para>
		</listitem>
		</varlistentry>

		<varlistentry>
		<term>acl_xattr:ignore system acls = [yes|no]</term>
		<listitem>
		<para>
		When set to <emphasis>yes</emphasis>, a best effort mapping
		from/to the POSIX ACL layer will <emphasis>not</emphasis> be
		done by this module. The default is <emphasis>no</emphasis>,
		which means that Samba keeps setting and evaluating both the
		system ACLs and the NT ACLs. This is better if you need your
		system ACLs be set for local or NFS file access, too. If you only
		access the data via Samba you might set this to yes to achieve
		better NT ACL compatibility.
		</para>

		<para>
		If <emphasis>acl_xattr:ignore system acls</emphasis>
		is set to <emphasis>yes</emphasis>, the following
		additional settings will be enforced:
		<itemizedlist>
		<listitem><para>create mask = 0666</para></listitem>
		<listitem><para>directory mask = 0777</para></listitem>
		<listitem><para>map archive = no</para></listitem>
		<listitem><para>map hidden = no</para></listitem>
		<listitem><para>map readonly = no</para></listitem>
		<listitem><para>map system = no</para></listitem>
		<listitem><para>store dos attributes = yes</para></listitem>
		</itemizedlist>
		</para>
		</listitem>
		</varlistentry>

		<varlistentry>
		<term>acl_xattr:default acl style = [posix|windows|everyone]</term>
		<listitem>
		<para>
		This parameter determines the type of ACL that is synthesized in
		case a file or directory lacks an
		<emphasis>security.NTACL</emphasis> xattr.
		</para>
		<para>
		When set to <emphasis>posix</emphasis>, an ACL will be
		synthesized based on the POSIX mode permissions for user, group
		and others, with an additional ACE for <emphasis>NT
		Authority\SYSTEM</emphasis> will full rights.
		</para>
		<para>
		When set to <emphasis>windows</emphasis>, an ACL is synthesized
		the same way Windows does it, only including permissions for the
		owner and <emphasis>NT Authority\SYSTEM</emphasis>.
		</para>
		<para>
		When set to <emphasis>everyone</emphasis>, an ACL is synthesized
		giving full permissions to everyone (S-1-1-0).
		</para>
		<para>
		The default for this option is <emphasis>posix</emphasis>.
		</para>
		</listitem>
		</varlistentry>
	</variablelist>

</refsect1>

<refsect1>
	<title>AUTHOR</title>

	<para>The original Samba software and related utilities
	were created by Andrew Tridgell. Samba is now developed
	by the Samba Team as an Open Source project similar
	to the way the Linux kernel is developed.</para>
</refsect1>

</refentry>