setcifsacl(1) [linux man page]
SETCIFSACL(1) CIFS Access Control List Tools SETCIFSACL(1) NAME
setcifsacl - Userspace helper to alter an ACL in a security descriptor for Common Internet File System (CIFS) SYNOPSIS
setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} DESCRIPTION
This tool is part of the cifs-utils suite. setcifsacl is a userspace helper program for the Linux CIFS client file system. It is intended to alter an ACL of a security descriptor for a file system object. It is best utilized when an option of cifsacl is specified when mounting a cifs share in conjunction with winbind facility of Samba suite. Whether a security descriptor to be set is applied or not is determined by the CIFS/SMB server. OPTIONS
-v Print version number and exit. -a Add one or more ACEs to an ACL of a security descriptor. An ACE is added even if the same ACE exists in the ACL. -D Delete one or more ACEs from an ACL of a security descriptor. Entire ACE has to match in an existing ACL for the listed ACEs to be deleted. -M Modify one or more ACEs from an ACL of a security descriptor. SID and type are used to match for existing ACEs to be modified with the list of ACEs specified. -S Set an ACL of security descriptor with the list of ACEs Existing ACL is replaced entirely with the specified ACEs. Every ACE entry starts with "ACL:" One or more ACEs are specified within double quotes. Multiple ACEs are separated by a comma. Following fields of an ACE can be modified with possible values: SID: Either a name or a raw SID value. type: ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) flags: OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10) or a combination/OR of these values. mask: Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value EXAMPLES
Add an ACE setcifsacl -a "ACL:CIFSTESTDOMuser2:DENIED/0x1/D" <file_name> setcifsacl -a "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name> Delete an ACE setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name> Modify an ACE setcifsacl -M "ACL:CIFSTESTDOMuser1:ALLOWED/0x1f/CHANGE" <file_name> Set an ACL setcifsacl -S "ACL:CIFSTESTDOMAdministrator:0x0/0x0/FULL, ACL:CIFSTESTDOMuser2:0x0/0x0/FULL," <file_name> NOTES
Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel. SEE ALSO
mount.cifs(8), winbindd(8), getcifsacl(1) AUTHOR
Shirish Pargaonkar wrote the setcifsacl program. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. cifs-utils 08/19/2011 SETCIFSACL(1)
Check Out this Related Man Page
VFS_GPFS(8) VFS_GPFS(8) NAME
vfs_gpfs - gpfs specific samba extensions like acls and prealloc SYNOPSIS
vfs objects = gpfs DESCRIPTION
This VFS module is part of the samba(7) suite. The gpfs VFS module is the home for all gpfs extensions that Samba requires for proper integration with GPFS. It uses the GPL library interfaces provided by GPFS. Currently the gpfs vfs module provides extensions in following areas : o NFSv4 ACL Interfaces with configurable options for GPFS o Kernel oplock support on GPFS o Lease support on GPFS NOTE:This module follows the posix-acl behaviour and hence allows permission stealing via chown. Samba might allow at a later point in time, to restrict the chown via this module as such restrictions are the responsibility of the underlying filesystem than of Samba. This module is stackable. OPTIONS
nfs4:mode = [ simple | special ] Enable/Disable substitution of special IDs on GPFS. This parameter should not affect the windows users in anyway. It only ensures that Samba sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids ) that are relevant to GPFS. The following MODEs are understood by the module: o simple(default) - do not use special IDs in GPFS ACEs o special - use special IDs in GPFS ACEs. nfs4:acedup = [dontcare|reject|ignore|merge] This parameter configures how Samba handles duplicate ACEs encountered in GPFS ACLs. GPFS allows/creates duplicate ACE for different bits for same ID. Following is the behaviour of Samba for different values : o dontcare (default) - copy the ACEs as they come o reject - stop operation and exit with error on ACL set op o ignore - don't include the second matching ACE o merge - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE nfs4:chown = [yes|no] This parameter allows enabling or disabling the chown supported by the underlying filesystem. This parameter should be enabled with care as it might leave your system insecure. Some filesystems allow chown as a) giving b) stealing. It is the latter that is considered a risk. Following is the behaviour of Samba for different values : o yes - Enable chown if as supported by the under filesystem o no (default) - Disable chown EXAMPLES
A GPFS mount can be exported via Samba as follows : [samba_gpfs_share] vfs objects = gpfs path = /test/gpfs_mount nfs4: mode = special nfs4: acedup = merge CAVEATS
The gpfs gpl libraries are required by gpfs VFS module during both compilation and runtime. Also this VFS module is tested to work on SLES 9/10 and RHEL 4.4 VERSION
This man page is correct for version 3.0.25 of the Samba suite. AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. The GPFS VFS module was created with contributions from Volker Lendecke and the developers at IBM. This manpage was created by the IBM FSCC team VFS_GPFS(8)