Ignore:
Timestamp:
Oct 30, 2009, 9:39:05 AM (16 years ago)
Author:
Herwig Bauernfeind
Message:

Update 3.3 to 3.3.9

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/AccessControls.html

    r274 r342  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="orgname">Samba Team</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id2610573">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id2610759">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2610774">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2611116">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2611240">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2611906">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2611939">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2612307">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2612644">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2612982">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2613130">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2613477">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2613483">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613530">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613601">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613744">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613960">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2614117">Interaction with the Standard Samba create mask Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2614486">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2614559">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2614978">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2614989">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2615312">File Operations Done as root with force user Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2615358">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p>
    2 <a class="indexterm" name="id2610403"></a>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="orgname">Samba Team</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id2610573">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id2610760">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2610774">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2611116">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2611240">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2611906">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2611939">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2612307">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2612644">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2612982">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2613130">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2613477">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2613483">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613530">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613601">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613745">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2613960">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2614117">Interaction with the Standard Samba create mask Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2614486">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2614559">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id2614978">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id2614990">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2615312">File Operations Done as root with force user Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id2615358">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p>
     2<a class="indexterm" name="id2610404"></a>
    33<a class="indexterm" name="id2610410"></a>
    44<a class="indexterm" name="id2610417"></a>
     
    99provide users with the access they need while protecting resources from unauthorized access.
    1010</p><p>
    11 <a class="indexterm" name="id2610440"></a>
     11<a class="indexterm" name="id2610441"></a>
    1212<a class="indexterm" name="id2610448"></a>
    1313Many UNIX administrators are unfamiliar with the MS Windows environment and in particular
     
    2323though it does try to bridge the chasm to a degree.
    2424</p><p>
    25 <a class="indexterm" name="id2610495"></a>
     25<a class="indexterm" name="id2610496"></a>
    2626<a class="indexterm" name="id2610502"></a>
    2727<a class="indexterm" name="id2610512"></a>
    28 <a class="indexterm" name="id2610518"></a>
     28<a class="indexterm" name="id2610519"></a>
    2929POSIX Access Control List technology has been available (along with extended attributes)
    3030for UNIX for many years, yet there is little evidence today of any significant use. This
     
    5353                </p><p>
    5454<a class="indexterm" name="id2610610"></a>
    55 <a class="indexterm" name="id2610617"></a>
     55<a class="indexterm" name="id2610618"></a>
    5656<a class="indexterm" name="id2610624"></a>
    5757                        Samba honors and implements UNIX file system access controls. Users
     
    6565                <span class="emphasis"><em>Samba Share Definitions</em></span>
    6666                </p><p>
    67 <a class="indexterm" name="id2610652"></a>
     67<a class="indexterm" name="id2610653"></a>
    6868                        In configuring share settings and controls in the <code class="filename">smb.conf</code> file,
    6969                        the network administrator can exercise overrides to native file
     
    9595                        extended attributes enabled. This chapter has pertinent information
    9696                        for users of platforms that support them.
    97                         </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2610759"></a>File System Access Controls</h2></div></div></div><p>
     97                        </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2610760"></a>File System Access Controls</h2></div></div></div><p>
    9898Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP
    9999implement a totally divergent file system technology from what is provided in the UNIX operating system
     
    102102</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2610774"></a>MS Windows NTFS Comparison with UNIX File Systems</h3></div></div></div><p>
    103103        <a class="indexterm" name="id2610783"></a>
    104         <a class="indexterm" name="id2610789"></a>
     104        <a class="indexterm" name="id2610790"></a>
    105105        <a class="indexterm" name="id2610796"></a>
    106         <a class="indexterm" name="id2610805"></a>
     106        <a class="indexterm" name="id2610806"></a>
    107107        Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions
    108108        and permissions. It also means that if the MS Windows networking environment requires file system
     
    169169                startup configuration data.
    170170                </p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p>
    171                 <a class="indexterm" name="id2611057"></a>
     171                <a class="indexterm" name="id2611058"></a>
    172172                <a class="indexterm" name="id2611067"></a>
    173173                <a class="indexterm" name="id2611076"></a>
     
    250250<a class="indexterm" name="id2611516"></a>
    251251<a class="indexterm" name="id2611523"></a>
    252 <a class="indexterm" name="id2611529"></a>
     252<a class="indexterm" name="id2611530"></a>
    253253        The letters <code class="constant">rwxXst</code> set permissions for the user, group, and others as read (r), write (w),
    254254        execute (or access for directories) (x), execute  only  if  the  file  is a directory or already has execute
     
    258258<a class="indexterm" name="id2611555"></a>
    259259<a class="indexterm" name="id2611562"></a>
    260 <a class="indexterm" name="id2611568"></a>
     260<a class="indexterm" name="id2611569"></a>
    261261        When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
    262262        Without the sticky  bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
     
    289289        directory that contains a file and has write permission for it has the capability to delete it.
    290290        </p><p>
    291 <a class="indexterm" name="id2611702"></a>
     291<a class="indexterm" name="id2611703"></a>
    292292<a class="indexterm" name="id2611710"></a>
    293 <a class="indexterm" name="id2611716"></a>
     293<a class="indexterm" name="id2611717"></a>
    294294        For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on
    295295        the directory that the file is in. In other words, a user can delete a file in a directory to which that
    296296        user has write access, even if that user does not own the file.
    297297        </p><p>
    298 <a class="indexterm" name="id2611731"></a>
    299 <a class="indexterm" name="id2611738"></a>
     298<a class="indexterm" name="id2611732"></a>
     299<a class="indexterm" name="id2611739"></a>
    300300<a class="indexterm" name="id2611745"></a>
    301301<a class="indexterm" name="id2611752"></a>
     
    452452                        </p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2612982"></a>Access Controls on Shares</h2></div></div></div><p>
    453453<a class="indexterm" name="id2612990"></a>
    454 <a class="indexterm" name="id2612996"></a>
     454<a class="indexterm" name="id2612997"></a>
    455455<a class="indexterm" name="id2613004"></a>
    456456<a class="indexterm" name="id2613011"></a>
     
    473473<a class="indexterm" name="id2613078"></a>
    474474<a class="indexterm" name="id2613085"></a>
    475 <a class="indexterm" name="id2613091"></a>
     475<a class="indexterm" name="id2613092"></a>
    476476        Samba stores the per-share access control settings in a file called <code class="filename">share_info.tdb</code>.
    477477        The location of this file on your system will depend on how Samba was compiled. The default location
     
    482482                The best tool for share permissions management is platform-dependent. Choose the best tool for your environment.
    483483                </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2613141"></a>Windows NT4 Workstation/Server</h4></div></div></div><p>
    484 <a class="indexterm" name="id2613149"></a>
    485 <a class="indexterm" name="id2613156"></a>
    486 <a class="indexterm" name="id2613163"></a>
     484<a class="indexterm" name="id2613150"></a>
     485<a class="indexterm" name="id2613157"></a>
     486<a class="indexterm" name="id2613164"></a>
    487487<a class="indexterm" name="id2613170"></a>
    488488                        The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server
     
    497497                        Click on the share that you wish to manage and click the <span class="guilabel">Properties</span> tab, then click
    498498                        the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
    499                         </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2613246"></a>Windows 200x/XP</h4></div></div></div><p>
     499                        </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2613247"></a>Windows 200x/XP</h4></div></div></div><p>
    500500<a class="indexterm" name="id2613254"></a>
    501501<a class="indexterm" name="id2613261"></a>
     
    524524                        <span class="guilabel">Shared Folders</span> in the left panel.
    525525                        </p></li><li><p>
    526 <a class="indexterm" name="id2613426"></a>
     526<a class="indexterm" name="id2613427"></a>
    527527                        In the right panel, double-click on the share on which you wish to set access control permissions.
    528528                        Then click the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
     
    590590                or remote mounted NTFS or Samba drive. This is available as part of the <span class="application">Seclib</span> NT
    591591                security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site.
    592                 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2613744"></a>Viewing File or Directory Permissions</h3></div></div></div><p>
     592                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2613745"></a>Viewing File or Directory Permissions</h3></div></div></div><p>
    593593                The third button is the <span class="guibutton">Permissions</span> button. Clicking on it brings up a dialog box
    594594                that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this:
     
    828828File, directory, and share access problems are common topics on the mailing list. The following
    829829are examples recently taken from the mailing list.
    830 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614989"></a>Users Cannot Write to a Public Share</h3></div></div></div><p>
     830</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614990"></a>Users Cannot Write to a Public Share</h3></div></div></div><p>
    831831        The following complaint has frequently been voiced on the Samba mailing list:
    832832        &#8220;<span class="quote">
Note: See TracChangeset for help on using the changeset viewer.