<p><a name="NAME"></a>
<h2>NAME</h2>
- smbcacls - Set or get ACLs on an NT file
+ smbcacls - Set or get ACLs on an NT file or directory
<p><a name="SYNOPSIS"></a>
<h2>SYNOPSIS</h2>
<p><a name="OPTIONS"></a>
<h2>OPTIONS</h2>
-<p>The following options are available to the <strong>smbcacls</strong> program:
+<p>The following options are available to the <strong>smbcacls</strong> program. The
+format of ACLs is described in the section <a href="smbcacls.1.html#ACLFORMAT">ACL FORMAT</a>
<p><dl>
<p><a name="minusA"></a>
<p></p><dt><strong><strong>-A acls</strong></strong><dd>
-<p>Add the ACLs specified to the ACL list.
+<p>Add the ACLs specified to the ACL list. Existing access control entries
+are unchanged.
<p><a name="minusM"></a>
<p></p><dt><strong><strong>-M acls</strong></strong><dd>
<p>Modify the mask value (permissions) for the ACLs specified on the command
-line. An error will be printed if the ACL specified is not already present
-in the ACL list
+line. An error will be printed for each ACL specified that was not already
+present in the ACL list.
<p><a name="minusD"></a>
<p></p><dt><strong><strong>-D acls</strong></strong><dd>
-<p>Delete any ACLs specfied on the command line. An error is printed if any
-of the ACLs specified are not present in the ACL list.
+<p>Delete any ACLs specfied on the command line. An error will be printed for
+each ACL specified that was not already present in the ACL list.
<p><a name="minusS"></a>
<p></p><dt><strong><strong>-S acls</strong></strong><dd>
-<p>This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line.
+<p>This command sets the ACLs on the file with only the ones specified on the
+command line. All other ACLs are erased. Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed.
<p><a name="minusU"></a>
<p></p><dt><strong><strong>-U username</strong></strong><dd>
<p>Specifies a username used to connect to the specified service. The
<p></p><dt><strong><strong>-h</strong></strong><dd>
<p>Print usage information on the <strong>smbcacls</strong> program
<p></dl>
+<p><a name="ACLFORMAT"></a>
+<h2>ACL FORMAT</h2>
+
+<p>The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines. An ACL entry is one of the following:
+<p><pre>
+
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+</pre>
+
+<p>The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor. If not specified it defaults to 1.
+<p>The owner and group specify the owner and group sids for the object. If a
+SID in the format <code>S-1-x-y-z</code> is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides.
+<p>ACLs specify permissions granted to the SID. This SID again can be
+specified in <code>S-1-x-y-z</code> format or as a name in which case it is resolved
+against the server on which the file or directory resides. The type, flags
+and mask values determine the type of access granted to the SID.
+<p>The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID. The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs. Some common flags are:
+<p><pre>
+
+#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
+</pre>
+
+<p>The mask is a value which expresses the access right granted to
+the SID. It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name.
+<p><dl>
+<p><p></p><dt><strong></strong><dd> <code>R</code> Allow read access
+<p><p></p><dt><strong></strong><dd> <code>W</code> Allow write access
+<p><p></p><dt><strong></strong><dd> <code>X</code> Execute permission on the object
+<p><p></p><dt><strong></strong><dd> <code>D</code> Delete the object
+<p><p></p><dt><strong></strong><dd> <code>P</code> Change permissions
+<p><p></p><dt><strong></strong><dd> <code>O</code> Take ownership
+<p></dl>
+<p>The following combined permissions can be specified:
+<p><dl>
+<p><p></p><dt><strong></strong><dd> <code>READ</code> Equivalent to <code>RX</code> permissions
+<p></p><dt><strong></strong><dd> <code>CHANGE</code> Equivalent to <code>RXWD</code> permissions
+<p></p><dt><strong></strong><dd> <code>FULL</code> Equivalent to <code>RWXDPO</code> permissions
+<p></dl>
<p><a name="EXITSTATUS"></a>
<h2>EXIT STATUS</h2>
.TH "smbcacls " "1" "3 Dec 2000" "Samba" "SAMBA"
.PP
.SH "NAME"
-smbcacls \- Set or get ACLs on an NT file
+smbcacls \- Set or get ACLs on an NT file or directory
.PP
.SH "SYNOPSIS"
.PP
.PP
.SH "OPTIONS"
.PP
-The following options are available to the \fBsmbcacls\fP program:
+The following options are available to the \fBsmbcacls\fP program\&. The
+format of ACLs is described in the section ACL FORMAT
.PP
.IP
.IP "\fB-A acls\fP"
.IP
-Add the ACLs specified to the ACL list\&.
+Add the ACLs specified to the ACL list\&. Existing access control entries
+are unchanged\&.
.IP
.IP "\fB-M acls\fP"
.IP
Modify the mask value (permissions) for the ACLs specified on the command
-line\&. An error will be printed if the ACL specified is not already present
-in the ACL list
+line\&. An error will be printed for each ACL specified that was not already
+present in the ACL list\&.
.IP
.IP "\fB-D acls\fP"
.IP
-Delete any ACLs specfied on the command line\&. An error is printed if any
-of the ACLs specified are not present in the ACL list\&.
+Delete any ACLs specfied on the command line\&. An error will be printed for
+each ACL specified that was not already present in the ACL list\&.
.IP
.IP "\fB-S acls\fP"
.IP
-This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line\&.
+This command sets the ACLs on the file with only the ones specified on the
+command line\&. All other ACLs are erased\&. Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed\&.
.IP
.IP "\fB-U username\fP"
.IP
Print usage information on the \fBsmbcacls\fP program
.IP
.PP
+.SH "ACL FORMAT"
+.PP
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines\&. An ACL entry is one of the following:
+.PP
+
+.nf
+
+
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+.fi
+
+
+.PP
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor\&. If not specified it defaults to 1\&.
+.PP
+The owner and group specify the owner and group sids for the object\&. If a
+SID in the format \f(CWS-1-x-y-z\fP is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides\&.
+.PP
+ACLs specify permissions granted to the SID\&. This SID again can be
+specified in \f(CWS-1-x-y-z\fP format or as a name in which case it is resolved
+against the server on which the file or directory resides\&. The type, flags
+and mask values determine the type of access granted to the SID\&.
+.PP
+The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID\&. The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs\&. Some common flags are:
+.PP
+
+.nf
+
+
+#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
+.fi
+
+
+.PP
+The mask is a value which expresses the access right granted to
+the SID\&. It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name\&.
+.PP
+.IP
+.IP ""
+\f(CWR\fP Allow read access
+.IP
+.IP ""
+\f(CWW\fP Allow write access
+.IP
+.IP ""
+\f(CWX\fP Execute permission on the object
+.IP
+.IP ""
+\f(CWD\fP Delete the object
+.IP
+.IP ""
+\f(CWP\fP Change permissions
+.IP
+.IP ""
+\f(CWO\fP Take ownership
+.IP
+.PP
+The following combined permissions can be specified:
+.PP
+.IP
+.IP ""
+\f(CWREAD\fP Equivalent to \f(CWRX\fP permissions
+.IP ""
+\f(CWCHANGE\fP Equivalent to \f(CWRXWD\fP permissions
+.IP ""
+\f(CWFULL\fP Equivalent to \f(CWRWXDPO\fP permissions
+.IP
+.PP
.SH "EXIT STATUS"
.PP
.SH "AUTHOR"
manpage(smbcacls htmlcommand((1)))(1)(3 Dec 2000)(Samba)(SAMBA)
label(NAME)
-manpagename(smbcacls)(Set or get ACLs on an NT file)
+manpagename(smbcacls)(Set or get ACLs on an NT file or directory )
label(SYNOPSIS)
manpagesynopsis()
label(OPTIONS)
manpageoptions()
-The following options are available to the bf(smbcacls) program:
+The following options are available to the bf(smbcacls) program. The
+format of ACLs is described in the section link(ACL FORMAT)(ACLFORMAT)
startdit()
label(minusA)
dit(bf(-A acls))
-Add the ACLs specified to the ACL list.
+Add the ACLs specified to the ACL list. Existing access control entries
+are unchanged.
label(minusM)
dit(bf(-M acls))
Modify the mask value (permissions) for the ACLs specified on the command
-line. An error will be printed if the ACL specified is not already present
-in the ACL list
+line. An error will be printed for each ACL specified that was not already
+present in the ACL list.
label(minusD)
dit(bf(-D acls))
-Delete any ACLs specfied on the command line. An error is printed if any
-of the ACLs specified are not present in the ACL list.
+Delete any ACLs specfied on the command line. An error will be printed for
+each ACL specified that was not already present in the ACL list.
label(minusS)
dit(bf(-S acls))
-This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line.
+This command sets the ACLs on the file with only the ones specified on the
+command line. All other ACLs are erased. Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed.
label(minusU)
dit(bf(-U username))
enddit()
-label(EXIT STATUS)
+label(ACLFORMAT)
+manpagesection(ACL FORMAT)
+
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines. An ACL entry is one of the following:
+
+verb(
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>)
+
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor. If not specified it defaults to 1.
+
+The owner and group specify the owner and group sids for the object. If a
+SID in the format tt(S-1-x-y-z) is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides.
+
+ACLs specify permissions granted to the SID. This SID again can be
+specified in tt(S-1-x-y-z) format or as a name in which case it is resolved
+against the server on which the file or directory resides. The type, flags
+and mask values determine the type of access granted to the SID.
+
+The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID. The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs. Some common flags are:
+
+verb(
+#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY 0x8)
+
+The mask is a value which expresses the access right granted to
+the SID. It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name.
+
+startdit()
+
+dit() tt(R) Allow read access
+
+dit() tt(W) Allow write access
+
+dit() tt(X) Execute permission on the object
+
+dit() tt(D) Delete the object
+
+dit() tt(P) Change permissions
+
+dit() tt(O) Take ownership
+
+enddit()
+
+The following combined permissions can be specified:
+
+startdit()
+
+dit() tt(READ) Equivalent to tt(RX) permissions
+dit() tt(CHANGE) Equivalent to tt(RXWD) permissions
+dit() tt(FULL) Equivalent to tt(RWXDPO) permissions
+
+enddit()
+
+label(EXITSTATUS)
manpagesection(EXIT STATUS)
label(AUTHOR)
git.samba.org / sfrench / samba-autobuild / .git / commitdiff