1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >UNIX Permission Bits and Windows NT Access Control Lists</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Hosting a Microsoft Distributed File System tree on Samba"
14 HREF="msdfs.html"><LINK
16 TITLE="Printing Support in Samba 2.2.x"
17 HREF="printing.html"></HEAD
28 SUMMARY="Header navigation table"
37 >SAMBA Project Documentation</TH
72 NAME="UNIX-PERMISSIONS"
74 >Chapter 5. UNIX Permission Bits and Windows NT Access Control Lists</H1
82 >5.1. Viewing and changing UNIX permissions using the NT
85 >New in the Samba 2.0.4 release is the ability for Windows
86 NT clients to use their native security settings dialog box to
87 view and modify the underlying UNIX permissions.</P
89 >Note that this ability is careful not to compromise
90 the security of the UNIX host Samba is running on, and
91 still obeys all the file permission rules that a Samba
92 administrator can set.</P
94 >In Samba 2.0.4 and above the default value of the
96 HREF="smb.conf.5.html#NTACLSUPPORT"
104 > has been changed from
112 manipulation of permissions is turned on by default.</P
121 >5.2. How to view file security on a Samba share</H1
123 >From an NT 4.0 client, single-click with the right
124 mouse button on any file or directory in a Samba mounted
125 drive letter or UNC path. When the menu pops-up, click
132 > entry at the bottom of
133 the menu. This brings up the normal file properties dialog
134 box, but with Samba 2.0.4 this will have a new tab along the top
141 >. Click on this tab and you
142 will see three buttons, <SPAN
168 > button will cause either
169 an error message <SPAN
171 >A requested privilege is not held
173 > to appear if the user is not the
174 NT Administrator, or a dialog which is intended to allow an
175 Administrator to add auditing requirements to a file if the
176 user is logged on as the NT Administrator. This dialog is
177 non-functional with a Samba share at this time, as the only
178 useful button, the <B
181 > button will not currently
182 allow a list of users to be seen.</P
191 >5.3. Viewing file ownership</H1
197 brings up a dialog box telling you who owns the given file. The
198 owner name will be of the form :</P
202 >"SERVER\user (Long name)"</B
210 > is the NetBIOS name of
211 the Samba server, <TT
216 > is the user name of
217 the UNIX user who owns the file, and <TT
223 is the descriptive string identifying the user (normally found in the
224 GECOS field of the UNIX password database). Click on the <B
228 > button to remove this dialog.</P
230 >If the parameter <TT
239 > then the file owner will
240 be shown as the NT user <B
248 > button will not allow
249 you to change the ownership of this file to yourself (clicking on
250 it will display a dialog box complaining that the user you are
251 currently logged onto the NT client cannot be found). The reason
252 for this is that changing the ownership of a file is a privileged
253 operation in UNIX, available only to the <SPAN
260 user. As clicking on this button causes NT to attempt to change
261 the ownership of a file to the current user logged into the NT
262 client this will not work with Samba at this time.</P
264 >There is an NT chown command that will work with Samba
265 and allow a user with Administrator privilege connected
266 to a Samba 2.0.4 server as root to change the ownership of
267 files on both a local NTFS filesystem or remote mounted NTFS
268 or Samba drive. This is available as part of the <SPAN
275 > NT security library written by Jeremy Allison of
276 the Samba Team, available from the main Samba ftp site.</P
285 >5.4. Viewing file or directory permissions</H1
287 >The third button is the <B
291 button. Clicking on this brings up a dialog box that shows both
292 the permissions and the UNIX owner of the file or directory.
293 The owner is displayed in the form :</P
297 >"SERVER\user (Long name)"</B
305 > is the NetBIOS name of
306 the Samba server, <TT
311 > is the user name of
312 the UNIX user who owns the file, and <TT
318 is the descriptive string identifying the user (normally found in the
319 GECOS field of the UNIX password database).</P
321 >If the parameter <TT
330 > then the file owner will
331 be shown as the NT user <B
335 permissions will be shown as NT "Full Control".</P
337 >The permissions field is displayed differently for files
338 and directories, so I'll describe the way file permissions
339 are displayed first.</P
347 >5.4.1. File Permissions</H2
349 >The standard UNIX user/group/world triple and
350 the corresponding "read", "write", "execute" permissions
351 triples are mapped by Samba into a three element NT ACL
352 with the 'r', 'w', and 'x' bits mapped into the corresponding
353 NT permissions. The UNIX world permissions are mapped into
354 the global NT group <B
358 by the list of permissions allowed for UNIX world. The UNIX
359 owner and group permissions are displayed as an NT
367 > icon respectively followed by the list
368 of permissions allowed for the UNIX user and group.</P
370 >As many UNIX permission sets don't map into common
381 usually the permissions will be prefixed by the words <B
383 > "Special Access"</B
384 > in the NT display list.</P
386 >But what happens if the file has no permissions allowed
387 for a particular UNIX user group or world component ? In order
388 to allow "no permissions" to be seen and modified then Samba
393 (which has no meaning in UNIX) and reports a component with
394 no permissions as having the NT <B
398 This was chosen of course to make it look like a zero, meaning
399 zero permissions. More details on the decision behind this will
409 >5.4.2. Directory Permissions</H2
411 >Directories on an NT NTFS file system have two
412 different sets of permissions. The first set of permissions
413 is the ACL set on the directory itself, this is usually displayed
414 in the first set of parentheses in the normal <B
418 NT style. This first set of permissions is created by Samba in
419 exactly the same way as normal file permissions are, described
420 above, and is displayed in the same way.</P
422 >The second set of directory permissions has no real meaning
423 in the UNIX permissions world and represents the <B
426 > permissions that any file created within
427 this directory would inherit.</P
429 >Samba synthesises these inherited permissions for NT by
430 returning as an NT ACL the UNIX permission mode that a new file
431 created by Samba on this share would receive.</P
441 >5.5. Modifying file or directory permissions</H1
443 >Modifying file and directory permissions is as simple
444 as changing the displayed permissions in the dialog box, and
448 > button. However, there are
449 limitations that a user needs to be aware of, and also interactions
450 with the standard Samba permission masks and mapping of DOS
451 attributes that need to also be taken into account.</P
453 >If the parameter <TT
462 > then any attempt to set
463 security permissions will fail with an <B
469 >The first thing to note is that the <B
473 button will not return a list of users in Samba 2.0.4 (it will give
474 an error message of <B
476 >"The remote procedure call failed
477 and did not execute"</B
478 >). This means that you can only
479 manipulate the current user/group/world permissions listed in
480 the dialog box. This actually works quite well as these are the
481 only permissions that UNIX actually has.</P
483 >If a permission triple (either user, group, or world)
484 is removed from the list of permissions in the NT dialog box,
488 > button is pressed it will
489 be applied as "no permissions" on the UNIX side. If you then
490 view the permissions again the "no permissions" entry will appear
494 > flag, as described above. This
495 allows you to add permissions back to a file or directory once
496 you have removed them from a triple component.</P
498 >As UNIX supports only the "r", "w" and "x" bits of
499 an NT ACL then if other NT security attributes such as "Delete
500 access" are selected then they will be ignored when applied on
503 >When setting permissions on a directory the second
504 set of permissions (in the second set of parentheses) is
505 by default applied to all files within that directory. If this
506 is not what you want you must uncheck the <B
509 permissions on existing files"</B
511 dialog before clicking <B
516 >If you wish to remove all permissions from a
517 user/group/world component then you may either highlight the
518 component and click the <B
522 or set the component to only have the special <B
526 > permission (displayed as <B
539 >5.6. Interaction with the standard Samba create mask
542 >Note that with Samba 2.0.5 there are four new parameters
543 to control this interaction. These are :</P
555 >force security mode</I
562 >directory security mask</I
569 >force directory security mode</I
573 >Once a user clicks <B
577 permissions Samba maps the given permissions into a user/group/world
578 r/w/x triple set, and then will check the changed permissions for a
579 file against the bits set in the <A
580 HREF="smb.conf.5.html#SECURITYMASK"
589 > parameter. Any bits that
590 were changed that are not set to '1' in this parameter are left alone
591 in the file permissions.</P
593 >Essentially, zero bits in the <TT
599 mask may be treated as a set of bits the user is <SPAN
606 allowed to change, and one bits are those the user is allowed to change.
609 >If not set explicitly this parameter is set to the same value as
611 HREF="smb.conf.5.html#CREATEMASK"
620 > parameter to provide compatibility with Samba 2.0.4
621 where this permission change facility was introduced. To allow a user to
622 modify all the user/group/world permissions on a file, set this parameter
625 >Next Samba checks the changed permissions for a file against
626 the bits set in the <A
627 HREF="smb.conf.5.html#FORCESECURITYMODE"
632 >force security mode</I
635 > parameter. Any bits
636 that were changed that correspond to bits set to '1' in this parameter
637 are forced to be set.</P
639 >Essentially, bits set in the <TT
645 > parameter may be treated as a set of bits that, when
646 modifying security on a file, the user has always set to be 'on'.</P
648 >If not set explicitly this parameter is set to the same value
650 HREF="smb.conf.5.html#FORCECREATEMODE"
659 > parameter to provide compatibility
660 with Samba 2.0.4 where the permission change facility was introduced.
661 To allow a user to modify all the user/group/world permissions on a file
662 with no restrictions set this parameter to 000.</P
675 > parameters are applied to the change
676 request in that order.</P
678 >For a directory Samba will perform the same operations as
679 described above for a file except using the parameter <TT
682 > directory security mask</I
693 >force directory security mode
696 > parameter instead of <TT
707 >directory security mask</I
710 by default is set to the same value as the <TT
716 > parameter and the <TT
719 >force directory security
722 > parameter by default is set to the same value as
726 >force directory mode</I
728 > parameter to provide
729 compatibility with Samba 2.0.4 where the permission change facility
732 >In this way Samba enforces the permission restrictions that
733 an administrator can set on a Samba share, whilst still allowing users
734 to modify the permission bits within that restriction.</P
736 >If you want to set up a share that allows users full control
737 in modifying the permission bits on their files and directories and
738 doesn't force any particular bits to be set 'on', then set the following
740 HREF="smb.conf.5.html"
747 > file in that share specific section :</P
752 >security mask = 0777</I
759 >force security mode = 0</I
766 >directory security mask = 0777</I
773 >force directory security mode = 0</I
777 >As described, in Samba 2.0.4 the parameters :</P
789 >force create mode</I
803 >force directory mode</I
807 >were used instead of the parameters discussed here.</P
816 >5.7. Interaction with the standard Samba file attribute
819 >Samba maps some of the DOS attribute bits (such as "read
820 only") into the UNIX permissions of a file. This means there can
821 be a conflict between the permission bits set via the security
822 dialog and the permission bits set by the file attribute mapping.
825 >One way this can show up is if a file has no UNIX read access
826 for the owner it will show up as "read only" in the standard
827 file attributes tabbed dialog. Unfortunately this dialog is
828 the same one that contains the security info in another tab.</P
830 >What this can mean is that if the owner changes the permissions
831 to allow themselves read access using the security dialog, clicks
835 > to get back to the standard attributes tab
836 dialog, and then clicks <B
839 > on that dialog, then
840 NT will set the file permissions back to read-only (as that is what
841 the attributes still say in the dialog). This means that after setting
842 permissions and clicking <B
846 attributes dialog you should always hit <B
853 > to ensure that your changes
854 are not overridden.</P
862 SUMMARY="Footer navigation table"
882 HREF="samba-howto-collection.html"
901 >Hosting a Microsoft Distributed File System tree on Samba</TD
911 >Printing Support in Samba 2.2.x</TD