diff options
Diffstat (limited to 'docs-xml/manpages/smbcacls.1.xml')
| -rw-r--r-- | docs-xml/manpages/smbcacls.1.xml | 482 |
1 files changed, 482 insertions, 0 deletions
diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml new file mode 100644 index 0000000..8cd63fc --- /dev/null +++ b/docs-xml/manpages/smbcacls.1.xml @@ -0,0 +1,482 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<refentry id="smbcacls.1"> + +<refmeta> + <refentrytitle>smbcacls</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">User Commands</refmiscinfo> + <refmiscinfo class="version">&doc.version;</refmiscinfo> +</refmeta> + + +<refnamediv> + <refname>smbcacls</refname> + <refpurpose>Set or get ACLs on an NT file or directory names</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>smbcacls</command> + <arg choice="req">//server/share</arg> + <arg choice="req">/filename</arg> + + <arg choice="opt">-D|--delete=ACL</arg> + <arg choice="opt">-M|--modify=ACL</arg> + <arg choice="opt">-a|--add=ACL</arg> + <arg choice="opt">-S|--set=ACLS</arg> + <arg choice="opt">-C|--chown=USERNAME</arg> + <arg choice="opt">-G|--chgrp=GROUPNAME</arg> + <arg choice="opt">-I|--inherit=STRING</arg> + <arg choice="opt">--recurse</arg> + <arg choice="opt">--propagate-inheritance</arg> + <arg choice="opt">--save=savefile</arg> + <arg choice="opt">--restore=restorefile</arg> + <arg choice="opt">--numeric</arg> + <arg choice="opt">--sddl</arg> + <arg choice="opt">--query-security-info=INT</arg> + <arg choice="opt">--set-security-info=INT</arg> + <arg choice="opt">-t|--test-args</arg> + <arg choice="opt">--domain-sid=SID</arg> + <arg choice="opt">-x|--maximum-access</arg> + <arg choice="opt">-?|--help</arg> + <arg choice="opt">--usage</arg> + <arg choice="opt">-d|--debuglevel=DEBUGLEVEL</arg> + <arg choice="opt">--debug-stdout</arg> + <arg choice="opt">--configfile=CONFIGFILE</arg> + <arg choice="opt">--option=name=value</arg> + <arg choice="opt">-l|--log-basename=LOGFILEBASE</arg> + <arg choice="opt">--leak-report</arg> + <arg choice="opt">--leak-report-full</arg> + <arg choice="opt">-R|--name-resolve=NAME-RESOLVE-ORDER</arg> + <arg choice="opt">-O|--socket-options=SOCKETOPTIONS</arg> + <arg choice="opt">-m|--max-protocol=MAXPROTOCOL</arg> + <arg choice="opt">-n|--netbiosname=NETBIOSNAME</arg> + <arg choice="opt">--netbios-scope=SCOPE</arg> + <arg choice="opt">-W|--workgroup=WORKGROUP</arg> + <arg choice="opt">--realm=REALM</arg> + <arg choice="opt">-U|--user=[DOMAIN/]USERNAME[%PASSWORD]</arg> + <arg choice="opt">-N|--no-pass</arg> + <arg choice="opt">--password=STRING</arg> + <arg choice="opt">--pw-nt-hash</arg> + <arg choice="opt">-A|--authentication-file=FILE</arg> + <arg choice="opt">-P|--machine-pass</arg> + <arg choice="opt">--simple-bind-dn=DN</arg> + <arg choice="opt">--use-kerberos=desired|required|off</arg> + <arg choice="opt">--use-krb5-ccache=CCACHE</arg> + <arg choice="opt">--use-winbind-ccache</arg> + <arg choice="opt">--client-protection=sign|encrypt|off</arg> + <arg choice="opt">-V|--version</arg> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> suite.</para> + + <para>The <command>smbcacls</command> program manipulates NT Access Control + Lists (ACLs) on SMB file shares. An ACL comprises zero or more Access + Control Entries (ACEs), which define access restrictions for a specific + user or group.</para> +</refsect1> + + +<refsect1> + <title>OPTIONS</title> + + <para>The following options are available to the <command>smbcacls</command> program. + The format of ACLs is described in the section ACL FORMAT </para> + + + <variablelist> + <varlistentry> + <term>-a|--add acl</term> + <listitem><para>Add the entries specified to the ACL. Existing + access control entries are unchanged.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-M|--modify acl</term> + <listitem><para>Modify the mask value (permissions) for the ACEs + specified on the command line. An error will be printed for each + ACE specified that was not already present in the object's ACL. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-D|--delete acl</term> + <listitem><para>Delete any ACEs specified on the command line. + An error will be printed for each ACE specified that was not + already present in the object's ACL. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-S|--set acl</term> + <listitem><para>This command sets the ACL on the object with + only what is specified on the command line. Any existing ACL + is erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-C|--chown name</term> + <listitem><para>The owner of a file or directory can be changed + to the name given using the <parameter>-C</parameter> option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. </para> + + <para>This command is a shortcut for -M OWNER:name. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-G|--chgrp name</term> + <listitem><para>The group owner of a file or directory can + be changed to the name given using the <parameter>-G</parameter> + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + </para> + + <para>This command is a shortcut for -M GROUP:name.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-I|--inherit allow|remove|copy</term> + <listitem><para>Set or unset the windows "Allow inheritable + permissions" check box using the <parameter>-I</parameter> + option. To set the check box pass allow. To unset the check + box pass either remove or copy. Remove will remove all + inherited ACEs. Copy will copy all the inherited ACEs. + </para></listitem> + + </varlistentry> + + <varlistentry> + <term>--propagate-inheritance</term> + <listitem><para>Add, modify, delete or set ACEs on an entire + directory tree according to the inheritance flags. Refer to the + INHERITANCE section for details. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--save savefile</term> + <listitem><para> stores the DACLs in sddl format + of the specified file or folder for later use with restore. + SACLS, owner or integrity labels are not stored. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--restore savefile</term> + <listitem><para> applies the stored DACLS to files in + directory. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--recurse</term> + <listitem><para> indicates the operation is performed on + directory and all files/directories below. (only applies + to save option) + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--numeric</term> + <listitem><para>This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. </para></listitem> + </varlistentry> + + <varlistentry> + <term>-m|--max-protocol PROTOCOL_NAME</term> + <listitem><para>This allows the user to select the + highest SMB protocol level that smbcacls will use to + connect to the server. By default this is set to + NT1, which is the highest available SMB1 protocol. + To connect using SMB2 or SMB3 protocol, use the + strings SMB2 or SMB3 respectively. Note that to connect + to a Windows 2012 server with encrypted transport selecting + a max-protocol of SMB3 is required. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>-t|--test-args</term> + <listitem><para> + Don't actually do anything, only validate the correctness of + the arguments. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--query-security-info FLAGS</term> + <listitem><para>The security-info flags for queries. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--set-security-info FLAGS</term> + <listitem><para>The security-info flags for queries. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--sddl</term> + <listitem><para>Output and input acls in sddl format. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--domain-sid SID</term> + <listitem><para>SID used for sddl processing. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>-x|--maximum-access</term> + <listitem><para>When displaying an ACL additionally query + the server for effective maximum permissions. Note that this + is only supported with SMB protocol version 2 or higher. + </para></listitem> + </varlistentry> + + &popt.autohelp; + &cmdline.common.samba.client; + &cmdline.common.connection; + &cmdline.common.credentials; + </variablelist> +</refsect1> + + +<refsect1> + <title>ACL FORMAT</title> + + <para>The format of an ACL is one or more entries separated by + either commas or newlines. An ACL entry is one of the following: </para> + +<para><programlisting> +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> +</programlisting></para> + + <para>Control bits related to automatic inheritance</para> + + + <itemizedlist> + <listitem><para><emphasis>OD</emphasis> - "Owner Defaulted" - Indicates that the SID of the owner of the security descriptor was provided by a default mechanism.</para></listitem> + <listitem><para><emphasis>GD</emphasis> - "Group Defaulted" - Indicates that the SID of the security descriptor group was provided by a default mechanism.</para></listitem> + <listitem><para><emphasis>DP</emphasis> - "DACL Present" - Indicates a security descriptor that has a discretionary access control list (DACL).</para></listitem> + <listitem><para><emphasis>DD</emphasis> - "DACL Defaulted" - Indicates a security descriptor with a default DACL.</para></listitem> + <listitem><para><emphasis>SP</emphasis> - "SACL Present" - Indicates a security descriptor that has a system access control list (SACL).</para></listitem> + <listitem><para><emphasis>SD</emphasis> - "SACL Defaulted" - A default mechanism, rather than the original provider of the security descriptor, provided the SACL.</para></listitem> + <listitem><para><emphasis>DT</emphasis> - "DACL Trusted"</para></listitem> + <listitem><para><emphasis>SS</emphasis> - "Server Security"</para></listitem> + <listitem><para><emphasis>DR</emphasis> - "DACL Inheritance Required" - Indicates a required security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects.</para></listitem> + <listitem><para><emphasis>SR</emphasis> - "SACL Inheritance Required" - Indicates a required security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects.</para></listitem> + <listitem><para><emphasis>DI</emphasis> - "DACL Auto Inherited" - Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects.</para></listitem> + <listitem><para><emphasis>SI</emphasis> - "SACL Auto Inherited" - Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects.</para></listitem> + <listitem><para><emphasis>PD</emphasis> - "DACL Protected" - Prevents the DACL of the security descriptor from being modified by inheritable ACEs.</para></listitem> + <listitem><para><emphasis>PS</emphasis> - "SACL Protected" - Prevents the SACL of the security descriptor from being modified by inheritable ACEs.</para></listitem> + <listitem><para><emphasis>RM</emphasis> - "RM Control Valid" - Indicates that the resource manager control is valid.</para></listitem> + <listitem><para><emphasis>SR</emphasis> - "Self Relative" - Indicates a self-relative security descriptor.</para></listitem> + </itemizedlist> + + <para>The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. </para> + + <para>The owner and group specify the owner and group sids for the + object. If a SID in the format S-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. </para> + + <para>ACEs are specified with an "ACL:" prefix, and define permissions + granted to an SID. The SID again can be specified in S-1-x-y-z format + or as a name in which case it is resolved against the server on which + the file or directory resides. The type, flags and mask values + determine the type of access granted to the SID. </para> + + <para>The type can be either ALLOWED or DENIED to allow/deny access + to the SID.</para> + + <para>The flags field defines how the ACE should be considered when + performing inheritance. <command>smbcacls</command> uses these flags + when run with <parameter>--propagate-inheritance</parameter>.</para> + + <para>Flags can be specified as decimal or hexadecimal values, or with + the respective (XX) aliases, separated by a vertical bar "|".</para> + + <itemizedlist> + <listitem><para><emphasis>(OI)</emphasis> Object Inherit 0x1</para></listitem> + <listitem><para><emphasis>(CI)</emphasis> Container Inherit 0x2</para></listitem> + <listitem><para><emphasis>(NP)</emphasis> No Propagate Inherit 0x4</para></listitem> + <listitem><para><emphasis>(IO)</emphasis> Inherit Only 0x8</para></listitem> + <listitem><para><emphasis>(I)</emphasis> ACE was inherited 0x10</para></listitem> + </itemizedlist> + + + <para>The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. </para> + + <itemizedlist> + <listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem> + <listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem> + <listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem> + <listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem> + <listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem> + <listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem> + </itemizedlist> + + + <para>The following combined permissions can be specified:</para> + + + <itemizedlist> + <listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX' + permissions</para></listitem> + <listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions + </para></listitem> + <listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO' + permissions</para></listitem> + </itemizedlist> + </refsect1> + +<refsect1> + <title>INHERITANCE</title> + + <para>Per-ACE inheritance flags can be set in the ACE flags field. By + default, inheritable ACEs e.g. those marked for object inheritance (OI) + or container inheritance (CI), are not propagated to sub-files or + folders. However, with the + <parameter>--propagate-inheritance</parameter> argument specified, such + ACEs are automatically propagated according to some inheritance + rules. + <itemizedlist> + <listitem><para>Inheritable (OI)(OI) ACE flags can only be + applied to folders. </para></listitem> + <listitem><para>Any inheritable ACEs applied to sub-files or + folders are marked with the inherited (I) flag. Inheritable + ACE(s) are applied to folders unless the no propagation (NP) + flag is set. </para> + </listitem> + <listitem><para>When an ACE with the (OI) flag alone set is + propagated to a child folder the inheritance only flag (IO) is + also applied. This indicates the permissions associated with + the ACE don't apply to the folder itself (only to it's + child files). When applying the ACE to a child file the ACE is + inherited as normal.</para></listitem> + <listitem><para>When an ace with the (CI) flag alone set is + propagated to a child file there is no effect, when propagated + to a child folder it is inherited as normal. + </para></listitem> + <listitem><para>When an ACE that has both (OI) & (CI) flags + set the ACE is inherited as normal by both folders and + files.</para></listitem> + </itemizedlist></para> +<para>(OI)(READ) added to parent folder</para> +<para><programlisting> ++-parent/ (OI)(READ) +| +-file.1 (I)(READ) +| +-nested/ (OI)(IO)(I)(READ) + | +-file.2 (I)(READ) +</programlisting></para> +<para>(CI)(READ) added to parent folder</para> +<para><programlisting> ++-parent/ (CI)(READ) +| +-file.1 +| +-nested/ (CI)(I)(READ) + | +-file.2 +</programlisting></para> +<para>(OI)(CI)(READ) added to parent folder</para> +<para><programlisting> ++-parent/ (OI)(CI)(READ) +| +-file.1 (I)(READ) +| +-nested/ (OI)(CI)(I)(READ) + | +-file.2 (I)(READ) +</programlisting></para> +<para>(OI)(NP)(READ) added to parent folder</para> +<para><programlisting> ++-oi_dir/ (OI)(NP)(READ) +| +-file.1 (I)(READ) +| +-nested/ +| +-file.2 +</programlisting></para> +<para>(CI)(NP)(READ) added to parent folder</para> +<para><programlisting> ++-oi_dir/ (CI)(NP)(READ) +| +-file.1 +| +-nested/ (I)(READ) +| +-file.2 +</programlisting></para> +<para>(OI)(CI)(NP)(READ) added to parent folder</para> +<para><programlisting> ++-parent/ (CI)(OI)(NP)(READ) +| +-file.1 (I)(READ) +| +-nested/ (I)(READ) +| +-file.2 +</programlisting></para> + <para>Files and folders with protected ACLs do not allow inheritable + permissions (set with <parameter>-I</parameter>). Such objects will + not receive ACEs flagged for inheritance with (CI) or (OI).</para> + +</refsect1> + +<refsect1> + <title>EXIT STATUS</title> + + <para>The <command>smbcacls</command> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </para> + + <para>If the operation succeeded, smbcacls returns and exit + status of 0. If <command>smbcacls</command> couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is part of version &doc.version; of the Samba suite.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para><command>smbcacls</command> was written by Andrew Tridgell + and Tim Potter.</para> + + <para>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done + by Alexander Bokovoy.</para> +</refsect1> + +</refentry> |