source: trunk/server/docs/manpages/smbcacls.1@ 997

Last change on this file since 997 was 862, checked in by Silvan Scherrer, 11 years ago

Samba Server: update trunk to 3.6.23

File size: 11.6 KB
Line 
1'\" t
2.\" Title: smbcacls
3.\" Author: [see the "AUTHOR" section]
4.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
5.\" Date: 09/18/2013
6.\" Manual: User Commands
7.\" Source: Samba 3.6
8.\" Language: English
9.\"
10.TH "SMBCACLS" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
11.\" -----------------------------------------------------------------
12.\" * Define some portability stuff
13.\" -----------------------------------------------------------------
14.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15.\" http://bugs.debian.org/507673
16.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
18.ie \n(.g .ds Aq \(aq
19.el .ds Aq '
20.\" -----------------------------------------------------------------
21.\" * set default formatting
22.\" -----------------------------------------------------------------
23.\" disable hyphenation
24.nh
25.\" disable justification (adjust text to left margin only)
26.ad l
27.\" -----------------------------------------------------------------
28.\" * MAIN CONTENT STARTS HERE *
29.\" -----------------------------------------------------------------
30.SH "NAME"
31smbcacls \- Set or get ACLs on an NT file or directory names
32.SH "SYNOPSIS"
33.HP \w'\ 'u
34smbcacls {//server/share} {/filename} [\-D|\-\-delete\ acls] [\-M|\-\-modify\ acls] [\-a|\-\-add\ acls] [\-S|\-\-set\ acls] [\-C|\-\-chown\ name] [\-G|\-\-chgrp\ name] [\-I\ allow|romove|copy] [\-\-numeric] [\-t] [\-U\ username] [\-h] [\-d]
35.SH "DESCRIPTION"
36.PP
37This tool is part of the
38\fBsamba\fR(7)
39suite\&.
40.PP
41The
42smbcacls
43program manipulates NT Access Control Lists (ACLs) on SMB file shares\&.
44.SH "OPTIONS"
45.PP
46The following options are available to the
47smbcacls
48program\&. The format of ACLs is described in the section ACL FORMAT
49.PP
50\-a|\-\-add acls
51.RS 4
52Add the ACLs specified to the ACL list\&. Existing access control entries are unchanged\&.
53.RE
54.PP
55\-M|\-\-modify acls
56.RS 4
57Modify the mask value (permissions) for the ACLs specified on the command line\&. An error will be printed for each ACL specified that was not already present in the ACL list
58.RE
59.PP
60\-D|\-\-delete acls
61.RS 4
62Delete any ACLs specified on the command line\&. An error will be printed for each ACL specified that was not already present in the ACL list\&.
63.RE
64.PP
65\-S|\-\-set acls
66.RS 4
67This command sets the ACLs on the file with only the ones specified on the command line\&. All other ACLs are erased\&. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed\&.
68.RE
69.PP
70\-C|\-\-chown name
71.RS 4
72The owner of a file or directory can be changed to the name given using the
73\fI\-C\fR
74option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified in the first argument\&.
75.sp
76This command is a shortcut for \-M OWNER:name\&.
77.RE
78.PP
79\-G|\-\-chgrp name
80.RS 4
81The group owner of a file or directory can be changed to the name given using the
82\fI\-G\fR
83option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified n the first argument\&.
84.sp
85This command is a shortcut for \-M GROUP:name\&.
86.RE
87.PP
88\-I|\-\-inherit allow|remove|copy
89.RS 4
90Set or unset the windows "Allow inheritable permissions" check box using the
91\fI\-I\fR
92option\&. To set the check box pass allow\&. To unset the check box pass either remove or copy\&. Remove will remove all inherited acls\&. Copy will copy all the inherited acls\&.
93.RE
94.PP
95\-\-numeric
96.RS 4
97This option displays all ACL information in numeric format\&. The default is to convert SIDs to names and ACE types and masks to a readable string format\&.
98.RE
99.PP
100\-t|\-\-test\-args
101.RS 4
102Don\*(Aqt actually do anything, only validate the correctness of the arguments\&.
103.RE
104.PP
105\-h|\-\-help
106.RS 4
107Print a summary of command line options\&.
108.RE
109.PP
110\-d|\-\-debuglevel=level
111.RS 4
112\fIlevel\fR
113is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
114.sp
115The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
116.sp
117Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
118.sp
119Note that specifying this parameter here will override the
120\m[blue]\fBlog level\fR\m[]
121parameter in the
122smb\&.conf
123file\&.
124.RE
125.PP
126\-V|\-\-version
127.RS 4
128Prints the program version number\&.
129.RE
130.PP
131\-s|\-\-configfile <configuration file>
132.RS 4
133The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
134smb\&.conf
135for more information\&. The default configuration file name is determined at compile time\&.
136.RE
137.PP
138\-l|\-\-log\-basename=logdirectory
139.RS 4
140Base directory name for log/debug files\&. The extension
141\fB"\&.progname"\fR
142will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
143.RE
144.PP
145\-N|\-\-no\-pass
146.RS 4
147If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
148.sp
149Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
150.sp
151If a password is specified on the command line and this option is also defined the password on the command line will be silently ingnored and no password will be used\&.
152.RE
153.PP
154\-k|\-\-kerberos
155.RS 4
156Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
157.RE
158.PP
159\-C|\-\-use\-ccache
160.RS 4
161Try to use the credentials cached by winbind\&.
162.RE
163.PP
164\-A|\-\-authentication\-file=filename
165.RS 4
166This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is
167.sp
168.if n \{\
169.RS 4
170.\}
171.nf
172username = <value>
173password = <value>
174domain = <value>
175.fi
176.if n \{\
177.RE
178.\}
179.sp
180Make certain that the permissions on the file restrict access from unwanted users\&.
181.RE
182.PP
183\-U|\-\-user=username[%password]
184.RS 4
185Sets the SMB username or username and password\&.
186.sp
187If %password is not specified, the user will be prompted\&. The client will first check the
188\fBUSER\fR
189environment variable, then the
190\fBLOGNAME\fR
191variable and if either exists, the string is uppercased\&. If these environmental variables are not found, the username
192\fBGUEST\fR
193is used\&.
194.sp
195A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
196\fI\-A\fR
197for more details\&.
198.sp
199Be cautious about including passwords in scripts\&. Also, on many systems the command line of a running process may be seen via the
200ps
201command\&. To be safe always allow
202rpcclient
203to prompt for a password and type it in directly\&.
204.RE
205.SH "ACL FORMAT"
206.PP
207The format of an ACL is one or more ACL entries separated by either commas or newlines\&. An ACL entry is one of the following:
208.PP
209.if n \{\
210.RS 4
211.\}
212.nf
213
214REVISION:<revision number>
215OWNER:<sid or name>
216GROUP:<sid or name>
217ACL:<sid or name>:<type>/<flags>/<mask>
218.fi
219.if n \{\
220.RE
221.\}
222.PP
223The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor\&. If not specified it defaults to 1\&. Using values other than 1 may cause strange behaviour\&.
224.PP
225The owner and group specify the owner and group sids for the object\&. If a SID in the format S\-1\-x\-y\-z is specified this is used, otherwise the name specified is resolved using the server on which the file or directory resides\&.
226.PP
227ACLs specify permissions granted to the SID\&. This SID again can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
228.PP
229The type can be either ALLOWED or DENIED to allow/deny access to the SID\&. The flags values are generally zero for file ACLs and either 9 or 2 for directory ACLs\&. Some common flags are:
230.sp
231.RS 4
232.ie n \{\
233\h'-04'\(bu\h'+03'\c
234.\}
235.el \{\
236.sp -1
237.IP \(bu 2.3
238.\}
239\fB#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1\fR
240.RE
241.sp
242.RS 4
243.ie n \{\
244\h'-04'\(bu\h'+03'\c
245.\}
246.el \{\
247.sp -1
248.IP \(bu 2.3
249.\}
250\fB#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2\fR
251.RE
252.sp
253.RS 4
254.ie n \{\
255\h'-04'\(bu\h'+03'\c
256.\}
257.el \{\
258.sp -1
259.IP \(bu 2.3
260.\}
261\fB#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4\fR
262.RE
263.sp
264.RS 4
265.ie n \{\
266\h'-04'\(bu\h'+03'\c
267.\}
268.el \{\
269.sp -1
270.IP \(bu 2.3
271.\}
272\fB#define SEC_ACE_FLAG_INHERIT_ONLY 0x8\fR
273.RE
274.sp
275.RE
276.PP
277At present flags can only be specified as decimal or hexadecimal values\&.
278.PP
279The mask is a value which expresses the access right granted to the SID\&. It can be given as a decimal or hexadecimal value, or by using one of the following text strings which map to the NT file permissions of the same name\&.
280.sp
281.RS 4
282.ie n \{\
283\h'-04'\(bu\h'+03'\c
284.\}
285.el \{\
286.sp -1
287.IP \(bu 2.3
288.\}
289\fIR\fR
290\- Allow read access
291.RE
292.sp
293.RS 4
294.ie n \{\
295\h'-04'\(bu\h'+03'\c
296.\}
297.el \{\
298.sp -1
299.IP \(bu 2.3
300.\}
301\fIW\fR
302\- Allow write access
303.RE
304.sp
305.RS 4
306.ie n \{\
307\h'-04'\(bu\h'+03'\c
308.\}
309.el \{\
310.sp -1
311.IP \(bu 2.3
312.\}
313\fIX\fR
314\- Execute permission on the object
315.RE
316.sp
317.RS 4
318.ie n \{\
319\h'-04'\(bu\h'+03'\c
320.\}
321.el \{\
322.sp -1
323.IP \(bu 2.3
324.\}
325\fID\fR
326\- Delete the object
327.RE
328.sp
329.RS 4
330.ie n \{\
331\h'-04'\(bu\h'+03'\c
332.\}
333.el \{\
334.sp -1
335.IP \(bu 2.3
336.\}
337\fIP\fR
338\- Change permissions
339.RE
340.sp
341.RS 4
342.ie n \{\
343\h'-04'\(bu\h'+03'\c
344.\}
345.el \{\
346.sp -1
347.IP \(bu 2.3
348.\}
349\fIO\fR
350\- Take ownership
351.RE
352.sp
353.RE
354.PP
355The following combined permissions can be specified:
356.sp
357.RS 4
358.ie n \{\
359\h'-04'\(bu\h'+03'\c
360.\}
361.el \{\
362.sp -1
363.IP \(bu 2.3
364.\}
365\fIREAD\fR
366\- Equivalent to \*(AqRX\*(Aq permissions
367.RE
368.sp
369.RS 4
370.ie n \{\
371\h'-04'\(bu\h'+03'\c
372.\}
373.el \{\
374.sp -1
375.IP \(bu 2.3
376.\}
377\fICHANGE\fR
378\- Equivalent to \*(AqRXWD\*(Aq permissions
379.RE
380.sp
381.RS 4
382.ie n \{\
383\h'-04'\(bu\h'+03'\c
384.\}
385.el \{\
386.sp -1
387.IP \(bu 2.3
388.\}
389\fIFULL\fR
390\- Equivalent to \*(AqRWXDPO\*(Aq permissions
391.RE
392.SH "EXIT STATUS"
393.PP
394The
395smbcacls
396program sets the exit status depending on the success or otherwise of the operations performed\&. The exit status may be one of the following values\&.
397.PP
398If the operation succeeded, smbcacls returns and exit status of 0\&. If
399smbcacls
400couldn\*(Aqt connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
401.SH "VERSION"
402.PP
403This man page is correct for version 3 of the Samba suite\&.
404.SH "AUTHOR"
405.PP
406The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
407.PP
408smbcacls
409was written by Andrew Tridgell and Tim Potter\&.
410.PP
411The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.
Note: See TracBrowser for help on using the repository browser.