smbcacls |
This program provides a way of modifying Windows NT ACLs on files and directories shared by the Samba server.
smbcacls // server / share filename [options]
Adds one or more ACLs to the file or directory. Any ACLs already existing for the file or directory are unchanged.
Modifies the mask of the ACLs specified. Refer to the following section, "Specifying ACLs," for details.
Deletes the specified ACLs.
Sets the specified ACLs, deleting any ACLs previously set on the file or directory. The ACLs must contain at least a revision, type, owner, and group .
Sets the username used to connect to the specified service. The user is prompted for a password unless the argument is specified as username % password . (Specifying the password on the command line is a security risk.) If -U domain \\ username is specified, the specified domain or workgroup will be used in place of the one specified in the smb.conf file.
Changes the owner of the file or directory. This is a shortcut for -M OWNER : username . The username argument can be given as a username or a SID in the form S-1- N-N-D-D-D-R .
Changes the group of the file or directory. This is a shortcut for -M GROUP : groupname . The groupname argument can be given as a group name or a SID in the form S-1- N-N-D-D-D-R .
Causes all ACL information to be displayed in numeric format rather than in readable strings.
Prints a help message.
In the previous options, the same format is always used when specifying ACLs. An ACL is made up of one or more Access Control Entries (ACEs), separated by either commas or escaped newlines. An ACE can be one of the following:
The revision_number should always be 1. The OWNER and GROUP entries can be used to set the owner and group for the file or directory. The names can be the textual ones or SIDs in the form S-1- N - N - D - D-D-R .
The ACL entry specifies what access rights to apply to the file or directory. The name_or_SID field specifies to which user or group the permissions apply and can be supplied either as a textual name or a SID. An ACE can be used to either allow or deny access. The type field is set to 1 to specify a permission to be allowed or for specifying a permission to deny. The mask field is the name of the permission and is one of the following:
Read access.
Write access.
Execute permission.
Permission to delete.
Change permissions on the object.
Take ownership.
The following combined permissions can also be specified:
Equivalent to RX permissions
Equivalent to RWXD permissions
Equivalent to RWXDPO permissions
The flags field is for specifying how objects in directories are to inherit their default permissions from their parent directory. For files, flags is normally set to . For directories, flags is usually set to either 9 or 2 .