5 -------------------------------------------------------------------------------------------------------------------
6 Userspace helper to alter components of a security descriptor for Common Internet File System (CIFS)
7 -------------------------------------------------------------------------------------------------------------------
14 setcifsacl [-v|-U|-a|-D|-M|-S|-o|-g] "{one or more ACEs or a SID}" {file system object}
20 This tool is part of the cifs-utils suite.
22 ``setcifsacl`` is a userspace helper program for the Linux CIFS client
23 file system. It is intended to alter an ACL or set owner/group SID of a security descriptor
24 for a file system object. Whether a security descriptor to be set is
25 applied or not is determined by the CIFS/SMB server.
27 This program uses a plugin to handle the mapping of user and group
28 names to SIDs. *@pluginpath@* should be a symlink that points to the
29 correct plugin to use.
36 Print usage message and exit.
39 Print version number and exit.
42 Apply ACE editing actions (-a, -D, -M, -S) to SACL (aUdit ACL). The actions are
43 appliend to DACL if -U is not specified.
46 Add one or more ACEs to an ACL of a security descriptor. An ACE is
47 added even if the same ACE exists in the ACL.
50 Delete one or more ACEs from an ACL of a security descriptor. Entire
51 ACE has to match in an existing ACL for the listed ACEs to be deleted.
54 Modify one or more ACEs from an ACL of a security descriptor. SID and
55 type are used to match for existing ACEs to be modified with the list
59 Set an ACL of security descriptor with the list of ACEs Existing ACL
60 is replaced entirely with the specified ACEs.
63 Set owner SID to one specified as a command line argument.
66 Set group SID to one specified as a command line argument.
68 The owner/group SID can be specified as a name or a raw SID value.
69 Every ACE entry starts with "ACL:" One or more ACEs are specified
70 within double quotes. Multiple ACEs are separated by a comma.
72 Following fields of a DACL ACE can be modified with possible values:
74 - ``SID`` - Either a name or a raw SID value.
75 - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
76 - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1),
77 CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI
78 or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or
79 0x10) or a combination/OR of these values.
80 - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value.
82 Following fields of a SACL ACE can be modified with possible values:
84 - ``SID`` - Either a name or a raw SID value.
85 - ``type`` - AUDIT (0x2), AUDIT_OBJECT (0x7), AUDIT_CALLBACK (0xD), AUDIT_CALLBACK_OBJECT (0xF),
86 MANDATORY_LABEL (0x11), RESOURCE_ATTRIBUTE (0x12), SCOPED_POLICY_ID (0x13)
87 - ``flags`` - SUCCESSFULL_ACCESS (SA or 0x40), FAILED_ACCESS (FA or 0x80)
88 - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value.
97 setcifsacl -a "ACL:CIFSTESTDOM\\user2:DENIED/0x1/D" <file_name>
99 setcifsacl -a "ACL:CIFSTESTDOM\\user1:ALLOWED/OI|CI|NI/D" <file_name>
101 setcifsacl -U -a "ACL:CIFSTESTDOM\\user1:AUDIT/SA/D" <file_name>
106 setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
108 setcifsacl -U -D "ACL:S-1-1-0:0x2/FA/0xf01ff" <file_name>
113 setcifsacl -M "ACL:CIFSTESTDOM\\user1:ALLOWED/0x1f/CHANGE" <file_name>
115 setcifsacl -U -M "ACL:CIFSTESTDOM\\user1:AUDIT_OBJECT/SA/CHANGE" <file_name>
120 setcifsacl -S "ACL:CIFSTESTDOM\\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\\user2:0x0/0x0/FULL" <file_name>
122 setcifsacl -U -S "ACL:CIFSTESTDOM\\Administrator:AUDIT/SA/FULL,ACL:CIFSTESTDOM\\user2:0x7/0x80/FULL" <file_name>
127 setcifsacl -o "S-1-5-21-3338130290-3403600371-1423429424-2102" <file_name>
132 setcifsacl -g "Administrators@BUILTIN" <file_name>
138 Kernel support for getcifsacl/setcifsacl utilities was initially
139 introduced in the 2.6.37 kernel.
145 mount.cifs(8), getcifsacl(1)
151 Shirish Pargaonkar wrote the setcifsacl program.
153 The Linux CIFS Mailing list is the preferred place to ask questions
154 regarding these programs.