</para>
<para>
- Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
- administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
- name="security mask"/>.
+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control
+ over permission changes it should be set to 0777.
</para>
</description>
created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
+ <para>
+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control
+ over permission changes it should be set to 0777.
+ </para>
</description>
<related>force directory mode</related>
<related>create mask</related>
-<related>directory security mask</related>
<related>inherit permissions</related>
<value type="default">0755</value>
<value type="example">0775</value>
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission bits
- will be set when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog
- box.</para>
-
<para>
- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
- directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
- Essentially, zero bits in this mask are a set of bits that will always be set to zero.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="directory mask"/> is now used instead to mask
+ any permission bit changes on directories.
<para>
- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
- file permissions regardless of the previous status of this bits on the file.
- </para>
-
- <para>If not set explicitly this parameter is set to 0777
- meaning a user is allowed to set all the user/group/world
- permissions on a directory.</para>
-
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to leave
- it as the default of <constant>0777</constant>.</para>
</description>
-<related>force directory security mode</related>
-<related>security mask</related>
-<related>force security mode</related>
-<value type="default">0777</value>
-<value type="example">0700</value>
</samba:parameter>
mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
parameter is applied.</para>
+ <para>
+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+ permissions are changed on a file, not just when the file is created.
+ This replaces the now removed <parameter moreinfo="none">force security mode</parameter>.
+ </para>
+
<para>The example below would force all newly created files to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
applied.</para>
+ <para>
+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+ permissions are changed on a directory, not just when the file is created.
+ This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>.
+ </para>
+
<para>The example below would force all created directories to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a directory using the native NT security dialog box.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="force directory mode"/> is now used instead to
+ force any permission changes on directories to include specific UNIX
+ permission bits.
<para>
- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
- name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
- of an OR.
- </para>
-
- <para>
- Essentially, this mask may be treated as a set of bits that, when modifying security on a directory,
- to will enable (1) any flags that are off (0) but which the mask has set to on (1).
- </para>
-
- <para>
- If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
- permissions on a directory without restrictions.
- </para>
-
- <note><para>
- Users who can access the Samba server through other means can easily bypass this restriction, so it is
- primarily useful for standalone "appliance" systems. Administrators of most normal systems will
- probably want to leave it set as 0000.
- </para></note>
-
</description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>directory security mask</related>
-<related>security mask</related>
-<related>force security mode</related>
-
</samba:parameter>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security dialog box.
- </para>
-
- <para>
- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
- name="security mask"/>, which works similar like this one but uses logical AND instead of OR.
- </para>
-
- <para>
- Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
- the user has always set to be on.
- </para>
-
- <para>
- If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
- permissions on a file, with no restrictions.
- </para>
-
- <para><emphasis>
- Note</emphasis> that users who can access the Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most
- normal systems will probably want to leave this set to 0000.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="force create mode"/> is now used instead to
+ force any permission changes on files to include specific UNIX
+ permission bits.
+ </para>
</description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>security mask</related>
</samba:parameter>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
- UNIX permission on a file using the native NT security dialog box.
- </para>
-
- <para>
- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
- security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND.
- </para>
-
- <para>
- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
- file permissions regardless of the previous status of this bits on the file.
- </para>
-
- <para>
- If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="create mask"/> is now used instead to mask
+ any permission bit changes on files.
</para>
-
- <para><emphasis>
- Note</emphasis> that users who can access the Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone "appliance" systems. Administrators of
- most normal systems will probably want to leave it set to <constant>0777</constant>.
- </para>
</description>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>force security mode</related>
-
-<value type="default">0777</value>
-<value type="example">0770</value>
</samba:parameter>
"ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""),
"WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
"MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"),
- "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"),
"VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""),
"CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""),
"DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""),
"DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"),
"LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""),
"WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"),
- "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"),
"ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"),
"PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"),
"MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"),
"LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"),
"LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"),
"LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"),
- "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"),
"LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""),
"NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"),
"LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"),
"POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"),
"INCLUDE" : ("include", SambaParmString, P_LOCAL, ""),
"ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"),
- "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"),
"ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"),
"USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""),
"MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"),
FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions)
FN_LOCAL_BOOL(acl_group_control, bAclGroupControl)
FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl)
-FN_LOCAL_INTEGER(security_mask, iSecurity_mask)
-FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode)
-FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask)
-FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode)
FN_LOCAL_INTEGER(defaultcase, iDefaultCase)
FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace)
FN_LOCAL_INTEGER(printing, iPrinting)
.enum_list = NULL,
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
},
- {
- .label = "security mask",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iSecurity_mask),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
- {
- .label = "force security mode",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iSecurity_force_mode),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
{
.label = "directory mask",
.type = P_OCTAL,
.enum_list = NULL,
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
},
- {
- .label = "directory security mask",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iDir_Security_mask),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
- {
- .label = "force directory security mode",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iDir_Security_force_mode),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
{
.label = "force unknown acl user",
.type = P_BOOL,
bool lp_durable_handles(int);
int lp_create_mask(int );
int lp_force_create_mode(int );
-int lp_security_mask(int );
-int lp_force_security_mode(int );
int lp_dir_mask(int );
int lp_force_dir_mode(int );
-int lp_dir_security_mask(int );
-int lp_force_dir_security_mode(int );
int lp_max_connections(int );
int lp_defaultcase(int );
int lp_minprintspace(int );
.iWriteCacheSize = 0,
.iCreate_mask = 0744,
.iCreate_force_mode = 0,
- .iSecurity_mask = 0777,
- .iSecurity_force_mode = 0,
.iDir_mask = 0755,
.iDir_force_mode = 0,
- .iDir_Security_mask = 0777,
- .iDir_Security_force_mode = 0,
.iMaxConnections = 0,
.iDefaultCase = CASE_LOWER,
.iPrinting = DEFAULT_PRINTING,
git.samba.org / samba.git / commitdiff