source: branches/samba-3.2.x/docs/manpages/smbcacls.1@ 516

Last change on this file since 516 was 340, checked in by Herwig Bauernfeind, 16 years ago

Update 3.2 to 3.2.15 (security update)

File size: 12.6 KB
Line 
1.\" Title: smbcacls
2.\" Author: [see the "AUTHOR" section]
3.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
4.\" Date: 09/30/2009
5.\" Manual: User Commands
6.\" Source: Samba 3.2
7.\" Language: English
8.\"
9.TH "SMBCACLS" "1" "09/30/2009" "Samba 3\&.2" "User Commands"
10.\" -----------------------------------------------------------------
11.\" * (re)Define some macros
12.\" -----------------------------------------------------------------
13.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14.\" toupper - uppercase a string (locale-aware)
15.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16.de toupper
17.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
18\\$*
19.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
20..
21.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22.\" SH-xref - format a cross-reference to an SH section
23.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
24.de SH-xref
25.ie n \{\
26.\}
27.toupper \\$*
28.el \{\
29\\$*
30.\}
31..
32.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33.\" SH - level-one heading that works better for non-TTY output
34.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
35.de1 SH
36.\" put an extra blank line of space above the head in non-TTY output
37.if t \{\
38.sp 1
39.\}
40.sp \\n[PD]u
41.nr an-level 1
42.set-an-margin
43.nr an-prevailing-indent \\n[IN]
44.fi
45.in \\n[an-margin]u
46.ti 0
47.HTML-TAG ".NH \\n[an-level]"
48.it 1 an-trap
49.nr an-no-space-flag 1
50.nr an-break-flag 1
51\." make the size of the head bigger
52.ps +3
53.ft B
54.ne (2v + 1u)
55.ie n \{\
56.\" if n (TTY output), use uppercase
57.toupper \\$*
58.\}
59.el \{\
60.nr an-break-flag 0
61.\" if not n (not TTY), use normal case (not uppercase)
62\\$1
63.in \\n[an-margin]u
64.ti 0
65.\" if not n (not TTY), put a border/line under subheading
66.sp -.6
67\l'\n(.lu'
68.\}
69..
70.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71.\" SS - level-two heading that works better for non-TTY output
72.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
73.de1 SS
74.sp \\n[PD]u
75.nr an-level 1
76.set-an-margin
77.nr an-prevailing-indent \\n[IN]
78.fi
79.in \\n[IN]u
80.ti \\n[SN]u
81.it 1 an-trap
82.nr an-no-space-flag 1
83.nr an-break-flag 1
84.ps \\n[PS-SS]u
85\." make the size of the head bigger
86.ps +2
87.ft B
88.ne (2v + 1u)
89.if \\n[.$] \&\\$*
90..
91.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92.\" BB/BE - put background/screen (filled box) around block of text
93.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
94.de BB
95.if t \{\
96.sp -.5
97.br
98.in +2n
99.ll -2n
100.gcolor red
101.di BX
102.\}
103..
104.de EB
105.if t \{\
106.if "\\$2"adjust-for-leading-newline" \{\
107.sp -1
108.\}
109.br
110.di
111.in
112.ll
113.gcolor
114.nr BW \\n(.lu-\\n(.i
115.nr BH \\n(dn+.5v
116.ne \\n(BHu+.5v
117.ie "\\$2"adjust-for-leading-newline" \{\
118\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
119.\}
120.el \{\
121\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
122.\}
123.in 0
124.sp -.5v
125.nf
126.BX
127.in
128.sp .5v
129.fi
130.\}
131..
132.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133.\" BM/EM - put colored marker in margin next to block of text
134.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135.de BM
136.if t \{\
137.br
138.ll -2n
139.gcolor red
140.di BX
141.\}
142..
143.de EM
144.if t \{\
145.br
146.di
147.ll
148.gcolor
149.nr BH \\n(dn
150.ne \\n(BHu
151\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
152.in 0
153.nf
154.BX
155.in
156.fi
157.\}
158..
159.\" -----------------------------------------------------------------
160.\" * set default formatting
161.\" -----------------------------------------------------------------
162.\" disable hyphenation
163.nh
164.\" disable justification (adjust text to left margin only)
165.ad l
166.\" -----------------------------------------------------------------
167.\" * MAIN CONTENT STARTS HERE *
168.\" -----------------------------------------------------------------
169.SH "Name"
170smbcacls \- Set or get ACLs on an NT file or directory names
171.SH "Synopsis"
172.fam C
173.HP \w'\ 'u
174\FCsmbcacls\F[] {//server/share} {filename} [\-D\ acls] [\-M\ acls] [\-a\ acls] [\-S\ acls] [\-C\ name] [\-G\ name] [\-\-numeric] [\-t] [\-U\ username] [\-h] [\-d]
175.fam
176.SH "DESCRIPTION"
177.PP
178This tool is part of the
179\fBsamba\fR(7)
180suite\&.
181.PP
182The
183\FCsmbcacls\F[]
184program manipulates NT Access Control Lists (ACLs) on SMB file shares\&.
185.SH "OPTIONS"
186.PP
187The following options are available to the
188\FCsmbcacls\F[]
189program\&. The format of ACLs is described in the section ACL FORMAT
190.PP
191\-a acls
192.RS 4
193Add the ACLs specified to the ACL list\&. Existing access control entries are unchanged\&.
194.RE
195.PP
196\-M acls
197.RS 4
198Modify the mask value (permissions) for the ACLs specified on the command line\&. An error will be printed for each ACL specified that was not already present in the ACL list
199.RE
200.PP
201\-D acls
202.RS 4
203Delete any ACLs specified on the command line\&. An error will be printed for each ACL specified that was not already present in the ACL list\&.
204.RE
205.PP
206\-S acls
207.RS 4
208This command sets the ACLs on the file with only the ones specified on the command line\&. All other ACLs are erased\&. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed\&.
209.RE
210.PP
211\-U username
212.RS 4
213Specifies a username used to connect to the specified service\&. The username may be of the form "username" in which case the user is prompted to enter in a password and the workgroup specified in the
214\fBsmb.conf\fR(5)
215file is used, or "username%password" or "DOMAIN\eusername%password" and the password and workgroup names are used as provided\&.
216.RE
217.PP
218\-C name
219.RS 4
220The owner of a file or directory can be changed to the name given using the
221\fI\-C\fR
222option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified in the first argument\&.
223.sp
224This command is a shortcut for \-M OWNER:name\&.
225.RE
226.PP
227\-G name
228.RS 4
229The group owner of a file or directory can be changed to the name given using the
230\fI\-G\fR
231option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified n the first argument\&.
232.sp
233This command is a shortcut for \-M GROUP:name\&.
234.RE
235.PP
236\-\-numeric
237.RS 4
238This option displays all ACL information in numeric format\&. The default is to convert SIDs to names and ACE types and masks to a readable string format\&.
239.RE
240.PP
241\-t
242.RS 4
243Don\'t actually do anything, only validate the correctness of the arguments\&.
244.RE
245.PP
246\-h|\-\-help
247.RS 4
248Print a summary of command line options\&.
249.RE
250.PP
251\-d|\-\-debuglevel=level
252.RS 4
253\fIlevel\fR
254is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
255.sp
256The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
257.sp
258Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
259.sp
260Note that specifying this parameter here will override the
261\m[blue]\fBlog level\fR\m[]
262parameter in the
263\FCsmb\&.conf\F[]
264file\&.
265.RE
266.PP
267\-V
268.RS 4
269Prints the program version number\&.
270.RE
271.PP
272\-s <configuration file>
273.RS 4
274The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
275\FCsmb\&.conf\F[]
276for more information\&. The default configuration file name is determined at compile time\&.
277.RE
278.PP
279\-l|\-\-log\-basename=logdirectory
280.RS 4
281Base directory name for log/debug files\&. The extension
282\fB"\&.progname"\fR
283will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
284.RE
285.SH "ACL FORMAT"
286.PP
287The format of an ACL is one or more ACL entries separated by either commas or newlines\&. An ACL entry is one of the following:
288.PP
289.if n \{\
290.RS 4
291.\}
292.fam C
293.ps -1
294.nf
295.BB lightgray
296
297REVISION:<revision number>
298OWNER:<sid or name>
299GROUP:<sid or name>
300ACL:<sid or name>:<type>/<flags>/<mask>
301.EB lightgray
302.fi
303.fam
304.ps +1
305.if n \{\
306.RE
307.\}
308.PP
309The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor\&. If not specified it defaults to 1\&. Using values other than 1 may cause strange behaviour\&.
310.PP
311The owner and group specify the owner and group sids for the object\&. If a SID in the format S\-1\-x\-y\-z is specified this is used, otherwise the name specified is resolved using the server on which the file or directory resides\&.
312.PP
313ACLs specify permissions granted to the SID\&. This SID again can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
314.PP
315The type can be either ALLOWED or DENIED to allow/deny access to the SID\&. The flags values are generally zero for file ACLs and either 9 or 2 for directory ACLs\&. Some common flags are:
316.sp
317.RS 4
318.ie n \{\
319\h'-04'\(bu\h'+03'\c
320.\}
321.el \{\
322.sp -1
323.IP \(bu 2.3
324.\}
325\fB#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1\fR
326.RE
327.sp
328.RS 4
329.ie n \{\
330\h'-04'\(bu\h'+03'\c
331.\}
332.el \{\
333.sp -1
334.IP \(bu 2.3
335.\}
336\fB#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2\fR
337.RE
338.sp
339.RS 4
340.ie n \{\
341\h'-04'\(bu\h'+03'\c
342.\}
343.el \{\
344.sp -1
345.IP \(bu 2.3
346.\}
347\fB#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4\fR
348.RE
349.sp
350.RS 4
351.ie n \{\
352\h'-04'\(bu\h'+03'\c
353.\}
354.el \{\
355.sp -1
356.IP \(bu 2.3
357.\}
358\fB#define SEC_ACE_FLAG_INHERIT_ONLY 0x8\fR
359.sp
360.RE
361.PP
362At present flags can only be specified as decimal or hexadecimal values\&.
363.PP
364The mask is a value which expresses the access right granted to the SID\&. It can be given as a decimal or hexadecimal value, or by using one of the following text strings which map to the NT file permissions of the same name\&.
365.sp
366.RS 4
367.ie n \{\
368\h'-04'\(bu\h'+03'\c
369.\}
370.el \{\
371.sp -1
372.IP \(bu 2.3
373.\}
374\fIR\fR
375\- Allow read access
376.RE
377.sp
378.RS 4
379.ie n \{\
380\h'-04'\(bu\h'+03'\c
381.\}
382.el \{\
383.sp -1
384.IP \(bu 2.3
385.\}
386\fIW\fR
387\- Allow write access
388.RE
389.sp
390.RS 4
391.ie n \{\
392\h'-04'\(bu\h'+03'\c
393.\}
394.el \{\
395.sp -1
396.IP \(bu 2.3
397.\}
398\fIX\fR
399\- Execute permission on the object
400.RE
401.sp
402.RS 4
403.ie n \{\
404\h'-04'\(bu\h'+03'\c
405.\}
406.el \{\
407.sp -1
408.IP \(bu 2.3
409.\}
410\fID\fR
411\- Delete the object
412.RE
413.sp
414.RS 4
415.ie n \{\
416\h'-04'\(bu\h'+03'\c
417.\}
418.el \{\
419.sp -1
420.IP \(bu 2.3
421.\}
422\fIP\fR
423\- Change permissions
424.RE
425.sp
426.RS 4
427.ie n \{\
428\h'-04'\(bu\h'+03'\c
429.\}
430.el \{\
431.sp -1
432.IP \(bu 2.3
433.\}
434\fIO\fR
435\- Take ownership
436.sp
437.RE
438.PP
439The following combined permissions can be specified:
440.sp
441.RS 4
442.ie n \{\
443\h'-04'\(bu\h'+03'\c
444.\}
445.el \{\
446.sp -1
447.IP \(bu 2.3
448.\}
449\fIREAD\fR
450\- Equivalent to \'RX\' permissions
451.RE
452.sp
453.RS 4
454.ie n \{\
455\h'-04'\(bu\h'+03'\c
456.\}
457.el \{\
458.sp -1
459.IP \(bu 2.3
460.\}
461\fICHANGE\fR
462\- Equivalent to \'RXWD\' permissions
463.RE
464.sp
465.RS 4
466.ie n \{\
467\h'-04'\(bu\h'+03'\c
468.\}
469.el \{\
470.sp -1
471.IP \(bu 2.3
472.\}
473\fIFULL\fR
474\- Equivalent to \'RWXDPO\' permissions
475.SH "EXIT STATUS"
476.PP
477The
478\FCsmbcacls\F[]
479program sets the exit status depending on the success or otherwise of the operations performed\&. The exit status may be one of the following values\&.
480.PP
481If the operation succeeded, smbcacls returns and exit status of 0\&. If
482\FCsmbcacls\F[]
483couldn\'t connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
484.SH "VERSION"
485.PP
486This man page is correct for version 3 of the Samba suite\&.
487.SH "AUTHOR"
488.PP
489The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
490.PP
491\FCsmbcacls\F[]
492was written by Andrew Tridgell and Tim Potter\&.
493.PP
494The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.
Note: See TracBrowser for help on using the repository browser.