svn commit: samba-docs r797 - in trunk/smbdotconf/security: .

jra at jra at
Fri Aug 19 16:40:19 GMT 2005

Author: jra
Date: 2005-08-19 16:40:15 +0000 (Fri, 19 Aug 2005)
New Revision: 797


Added "acl group control" docs.


Added: trunk/smbdotconf/security/aclgroupcontrol.xml
--- trunk/smbdotconf/security/aclgroupcontrol.xml	2005-08-18 00:36:55 UTC (rev 796)
+++ trunk/smbdotconf/security/aclgroupcontrol.xml	2005-08-19 16:40:15 UTC (rev 797)
@@ -0,0 +1,47 @@
+<samba:parameter name="acl group control"
+                 context="S"
+		 type="boolean"
+                 xmlns:samba="">
+	<para>
+	In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
+	and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
+	<emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs
+	on that file.
+	</para>
+	<para>
+	On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in
+	that group to modify the permissions on it. This allows the delegation of security controls
+	on a point in the filesystem to the group owner of a directory and anything below it also owned
+	by that group. This means there are multiple people with permissions to modify ACLs on a file
+	or directory, easing managability.
+	</para>
+	<para>
+	This parameter allows Samba to also permit delegation of the control over a point in the exported
+	directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to
+	control the permissions on a file or directory they have group ownership on.
+	</para>
+	<para>
+	This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
+	on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> bit set
+	on them, which causes new files and directories created within it to inherit the group
+	ownership from the containing directory. 
+	</para>
+	<para>
+	This is a new parameter introduced in Samba 3.0.20.
+	</para>
+	<para>
+	This can be particularly useful to allow groups to manage their own security on a part
+	of the filesystem they have group ownership of, removing the bottleneck of having only
+	the user owner or superuser able to reset permissions.
+	</para>
+<related>inherit owner</related>
+<related>inherit permissions</related>
+<value type="default">no</value>

More information about the samba-cvs mailing list