Changeset 745 for trunk/server/docs/htmldocs/Samba3-HOWTO/AccessControls.html

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• docs/htmldocs/Samba3-HOWTO/AccessControls.html (modified) (12 diffs)

trunk/server/docs/htmldocs/Samba3-HOWTO/AccessControls.html

@@ -1 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 16. File, Directory, and Share Access Controls"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">&#8220;<span class="quote">create mask</span>&#8221;</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382825">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 16. File, Directory, and Share Access Controls"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">&#8220;<span class="quote">create mask</span>&#8221;</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382826">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p>
 <a class="indexterm" name="id378368"></a>
 <a class="indexterm" name="id378374"></a>
@@ -312 +312 @@
         The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux.
         For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory
-        or file from being deleted. The extended attribute that may achieve this is called the <code class="constant">immutible</code> bit.
-        Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the
+        or file from being deleted. The extended attribute that may achieve this is called the <code class="constant">immutable</code> bit.
+        Unfortunately, the implementation of the immutable flag is NOT consistent with published documentation. For example, the
         man page for the <code class="literal">chattr</code> on SUSE Linux 9.2 says:
 </p><pre class="screen">
@@ -321 +321 @@
 CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
 </pre><p>
-        A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host
+        A simple test can be done to check if the immutable flag is supported on files in the file system of the Samba host
         server.
         </p><div class="procedure" title="Procedure 16.1. Test for File Immutibility Support"><a name="id379651"></a><p class="title"><b>Procedure 16.1. Test for File Immutibility Support</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
@@ -335 +335 @@
 mystic:/home/hannibal &gt; rm filename
 </pre><p>
-        It will not be possible to delete the file if the immutible flag is correctly honored.
+        It will not be possible to delete the file if the immutable flag is correctly honored.
         </p></li></ol></div><p>
-        On operating systems and file system types that support the immutible bit, it is possible to create directories
+        On operating systems and file system types that support the immutable bit, it is possible to create directories
         that cannot be deleted. Check the man page on your particular host system to determine whether or not
         immutable directories are writable. If they are not, then the entire directory and its contents will effectively
@@ -466 +466 @@
 <a class="indexterm" name="id380786"></a>
         At this time Samba does not provide a tool for configuring access control settings on the share
-        itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x
+        itself.  The only way to create those settings is to use either the NT4 Server Manager or the Windows 200x
         Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide
         this capability in the Samba command-line tool set.
         </p><p>
 <a class="indexterm" name="id380799"></a>
-<a class="indexterm" name="id380805"></a>
+<a class="indexterm" name="id380806"></a>
 <a class="indexterm" name="id380812"></a>
 <a class="indexterm" name="id380819"></a>
@@ -483 +483 @@
                 </p><div class="sect3" title="Windows NT4 Workstation/Server"><div class="titlepage"><div><div><h4 class="title"><a name="id380864"></a>Windows NT4 Workstation/Server</h4></div></div></div><p>
 <a class="indexterm" name="id380872"></a>
-<a class="indexterm" name="id380878"></a>
+<a class="indexterm" name="id380879"></a>
 <a class="indexterm" name="id380885"></a>
 <a class="indexterm" name="id380892"></a>
@@ -508 +508 @@
                         </p><p>
 <a class="indexterm" name="id381021"></a>
-<a class="indexterm" name="id381027"></a>
+<a class="indexterm" name="id381028"></a>
 <a class="indexterm" name="id381034"></a>
                         MS Windows 200x and later versions come with a tool called the <span class="application">Computer Management</span>
@@ -524 +524 @@
                         <span class="guilabel">Shared Folders</span> in the left panel.
                         </p></li><li class="step" title="Step 3"><p>
-<a class="indexterm" name="id381131"></a>
+<a class="indexterm" name="id381132"></a>
                         In the right panel, double-click on the share on which you wish to set access control permissions.
                         Then click the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
@@ -575 +575 @@
                 the file owner will be shown as the NT user <span class="emphasis"><em>Everyone</em></span>.
                 </p><p>
-<a class="indexterm" name="id381354"></a>
+<a class="indexterm" name="id381355"></a>
                 The <span class="guibutton">Take Ownership</span> button will not allow you to change the ownership of this file to
                 yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto
@@ -584 +584 @@
                 </p><p>
 <a class="indexterm" name="id381379"></a>
-<a class="indexterm" name="id381385"></a>
+<a class="indexterm" name="id381386"></a>
 <a class="indexterm" name="id381392"></a>
                 There is an NT <code class="literal">chown</code> command that will work with Samba and allow a user with administrator
@@ -720 +720 @@
         then set the following parameters in the <code class="filename">smb.conf</code> file in that
         share-specific section:
-        </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382036"></a><em class="parameter"><code>security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382047"></a><em class="parameter"><code>force security mode = 0</code></em></td></tr><tr><td><a class="indexterm" name="id382058"></a><em class="parameter"><code>directory security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382070"></a><em class="parameter"><code>force directory security mode = 0</code></em></td></tr></table></div><div class="sect2" title="Interaction with the Standard Samba File Attribute Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id382083"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+        </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382036"></a><em class="parameter"><code>security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382047"></a><em class="parameter"><code>force security mode = 0</code></em></td></tr><tr><td><a class="indexterm" name="id382059"></a><em class="parameter"><code>directory security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382070"></a><em class="parameter"><code>force directory security mode = 0</code></em></td></tr></table></div><div class="sect2" title="Interaction with the Standard Samba File Attribute Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id382083"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
         Samba maps some of the DOS attribute bits (such as <span class="quote">&#8220;<span class="quote">read-only</span>&#8221;</span>)
         into the UNIX permissions of a file. This means there can 
@@ -889 +889 @@
                 <span class="emphasis"><em>engr</em></span> set in the <code class="filename">smb.conf</code> entry for the share:
                 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382810"></a><em class="parameter"><code>force group = engr</code></em></td></tr></table><p>
-                </p></li></ol></div></div><div class="sect2" title="File Operations Done as root with force user Set"><div class="titlepage"><div><div><h3 class="title"><a name="id382825"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div></div><p>
+                </p></li></ol></div></div><div class="sect2" title="File Operations Done as root with force user Set"><div class="titlepage"><div><div><h3 class="title"><a name="id382826"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div></div><p>
                 When you have a user in <a class="link" href="smb.conf.5.html#ADMINUSERS" target="_top">admin users</a>, Samba will always do file operations for
                 this user as <span class="emphasis"><em>root</em></span>, even if <a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a> has been set.