diff options
Diffstat (limited to 'docs/htmldocs/Samba3-HOWTO/AccessControls.html')
| -rw-r--r-- | docs/htmldocs/Samba3-HOWTO/AccessControls.html | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/docs/htmldocs/Samba3-HOWTO/AccessControls.html b/docs/htmldocs/Samba3-HOWTO/AccessControls.html index da33a6eceb..04bc883e8d 100644 --- a/docs/htmldocs/Samba3-HOWTO/AccessControls.html +++ b/docs/htmldocs/Samba3-HOWTO/AccessControls.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 16. File, Directory, and Share Access Controls"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">“<span class="quote">create mask</span>”</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382825">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 16. File, Directory, and Share Access Controls"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">“<span class="quote">create mask</span>”</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382826">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p> <a class="indexterm" name="id378368"></a> <a class="indexterm" name="id378374"></a> <a class="indexterm" name="id378381"></a> @@ -311,8 +311,8 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 <a class="indexterm" name="id379620"></a> The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory - or file from being deleted. The extended attribute that may achieve this is called the <code class="constant">immutible</code> bit. - Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the + or file from being deleted. The extended attribute that may achieve this is called the <code class="constant">immutable</code> bit. + Unfortunately, the implementation of the immutable flag is NOT consistent with published documentation. For example, the man page for the <code class="literal">chattr</code> on SUSE Linux 9.2 says: </p><pre class="screen"> A file with the i attribute cannot be modified: it cannot be deleted @@ -320,7 +320,7 @@ or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. </pre><p> - A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host + A simple test can be done to check if the immutable flag is supported on files in the file system of the Samba host server. </p><div class="procedure" title="Procedure 16.1. Test for File Immutibility Support"><a name="id379651"></a><p class="title"><b>Procedure 16.1. Test for File Immutibility Support</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> Create a file called <code class="filename">filename</code>. @@ -334,9 +334,9 @@ CAP_LINUX_IMMUTABLE capability can set or clear this attribute. </p><pre class="screen"> mystic:/home/hannibal > rm filename </pre><p> - It will not be possible to delete the file if the immutible flag is correctly honored. + It will not be possible to delete the file if the immutable flag is correctly honored. </p></li></ol></div><p> - On operating systems and file system types that support the immutible bit, it is possible to create directories + On operating systems and file system types that support the immutable bit, it is possible to create directories that cannot be deleted. Check the man page on your particular host system to determine whether or not immutable directories are writable. If they are not, then the entire directory and its contents will effectively be protected from writing (file creation also) and deletion. @@ -465,12 +465,12 @@ mystic:/home/hannibal > rm filename <a class="indexterm" name="id380779"></a> <a class="indexterm" name="id380786"></a> At this time Samba does not provide a tool for configuring access control settings on the share - itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x + itself. The only way to create those settings is to use either the NT4 Server Manager or the Windows 200x Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide this capability in the Samba command-line tool set. </p><p> <a class="indexterm" name="id380799"></a> -<a class="indexterm" name="id380805"></a> +<a class="indexterm" name="id380806"></a> <a class="indexterm" name="id380812"></a> <a class="indexterm" name="id380819"></a> Samba stores the per-share access control settings in a file called <code class="filename">share_info.tdb</code>. @@ -482,7 +482,7 @@ mystic:/home/hannibal > rm filename The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. </p><div class="sect3" title="Windows NT4 Workstation/Server"><div class="titlepage"><div><div><h4 class="title"><a name="id380864"></a>Windows NT4 Workstation/Server</h4></div></div></div><p> <a class="indexterm" name="id380872"></a> -<a class="indexterm" name="id380878"></a> +<a class="indexterm" name="id380879"></a> <a class="indexterm" name="id380885"></a> <a class="indexterm" name="id380892"></a> The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server @@ -507,7 +507,7 @@ mystic:/home/hannibal > rm filename Windows NT4/200x permissions allow the group "Everyone" full control on the share. </p><p> <a class="indexterm" name="id381021"></a> -<a class="indexterm" name="id381027"></a> +<a class="indexterm" name="id381028"></a> <a class="indexterm" name="id381034"></a> MS Windows 200x and later versions come with a tool called the <span class="application">Computer Management</span> snap-in for the MMC. This tool can be accessed via <span class="guimenu">Control Panel -> @@ -523,7 +523,7 @@ mystic:/home/hannibal > rm filename <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the left panel. </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id381131"></a> +<a class="indexterm" name="id381132"></a> In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you @@ -574,7 +574,7 @@ mystic:/home/hannibal > rm filename If the parameter <a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a> is set to <code class="constant">false</code>, the file owner will be shown as the NT user <span class="emphasis"><em>Everyone</em></span>. </p><p> -<a class="indexterm" name="id381354"></a> +<a class="indexterm" name="id381355"></a> The <span class="guibutton">Take Ownership</span> button will not allow you to change the ownership of this file to yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged @@ -583,7 +583,7 @@ mystic:/home/hannibal > rm filename not work with Samba at this time. </p><p> <a class="indexterm" name="id381379"></a> -<a class="indexterm" name="id381385"></a> +<a class="indexterm" name="id381386"></a> <a class="indexterm" name="id381392"></a> There is an NT <code class="literal">chown</code> command that will work with Samba and allow a user with administrator privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system @@ -719,7 +719,7 @@ mystic:/home/hannibal > rm filename does not force any particular bits to be set <span class="emphasis"><em>on</em></span>, then set the following parameters in the <code class="filename">smb.conf</code> file in that share-specific section: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382036"></a><em class="parameter"><code>security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382047"></a><em class="parameter"><code>force security mode = 0</code></em></td></tr><tr><td><a class="indexterm" name="id382058"></a><em class="parameter"><code>directory security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382070"></a><em class="parameter"><code>force directory security mode = 0</code></em></td></tr></table></div><div class="sect2" title="Interaction with the Standard Samba File Attribute Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id382083"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382036"></a><em class="parameter"><code>security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382047"></a><em class="parameter"><code>force security mode = 0</code></em></td></tr><tr><td><a class="indexterm" name="id382059"></a><em class="parameter"><code>directory security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382070"></a><em class="parameter"><code>force directory security mode = 0</code></em></td></tr></table></div><div class="sect2" title="Interaction with the Standard Samba File Attribute Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id382083"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Samba maps some of the DOS attribute bits (such as <span class="quote">“<span class="quote">read-only</span>”</span>) into the UNIX permissions of a file. This means there can be a conflict between the permission bits set via the security @@ -888,7 +888,7 @@ drwxrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar If the user that must have write permission in the directory is not a member of the group <span class="emphasis"><em>engr</em></span> set in the <code class="filename">smb.conf</code> entry for the share: </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382810"></a><em class="parameter"><code>force group = engr</code></em></td></tr></table><p> - </p></li></ol></div></div><div class="sect2" title="File Operations Done as root with force user Set"><div class="titlepage"><div><div><h3 class="title"><a name="id382825"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div></div><p> + </p></li></ol></div></div><div class="sect2" title="File Operations Done as root with force user Set"><div class="titlepage"><div><div><h3 class="title"><a name="id382826"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div></div><p> When you have a user in <a class="link" href="smb.conf.5.html#ADMINUSERS" target="_top">admin users</a>, Samba will always do file operations for this user as <span class="emphasis"><em>root</em></span>, even if <a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a> has been set. </p></div><div class="sect2" title="MS Word with Samba Changes Owner of File"><div class="titlepage"><div><div><h3 class="title"><a name="id382869"></a>MS Word with Samba Changes Owner of File</h3></div></div></div><p> |