smbcacls documentation
matthew at jenika.com
matthew at jenika.com
Fri Jun 4 19:18:54 MDT 2010
I have a perl module wrapper I use for smbcacls and this is the pod I wrote for the modules cacl method. I think this same information in the actual smbcacls documentation could be helpful to others. Attached is also a text copy of the pod.
cacl(object)
Get hash representation of cacl for specified object. Returns undef on failure and 1 on success.
Hash contains the following values:
REVISION
Security descriptor revision value.
CONTROL
Security descriptor control settings.
SEC_DESC_OWNER_DEFAULTED 0x0001
SEC_DESC_GROUP_DEFAULTED 0x0002
SEC_DESC_DACL_PRESENT 0x0004
SEC_DESC_DACL_DEFAULTED 0x0008
SEC_DESC_SACL_PRESENT 0x0010
SEC_DESC_SACL_DEFAULTED 0x0020
SEC_DESC_DACL_AUTO_INHERIT_REQ 0x0100
SEC_DESC_SACL_AUTO_INHERIT_REQ 0x0200
SEC_DESC_DACL_AUTO_INHERITED 0x0400
SEC_DESC_SACL_AUTO_INHERITED 0x0800
SEC_DESC_DACL_PROTECTED 0x1000 <-- Inheritance enabled/disabled
SEC_DESC_SACL_PROTECTED 0x2000
SEC_DESC_RM_CONTROL_VALID 0x4000
SEC_DESC_SELF_RELATIVE 0x8000
OWNER
Security descripter owner sid.
GROUP
Security descripter group sid.
ACL
Security descripter DACL entries. Consisting of:
sid
Specific ace sid.
type
Type defines if this ace is granting or denying the specified access to the sid. Type possible values:
C smbcacls SDDL Type
---------------------------------- -------- ---- ---
SEC_ACE_TYPE_ACCESS_ALLOWED ALLOWED A 0
SEC_ACE_TYPE_ACCESS_DENIED DENIED D 1
SEC_ACE_TYPE_SYSTEM_AUDIT AU 2
SEC_ACE_TYPE_SYSTEM_ALARM AL 3
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT OA 5
SEC_ACE_TYPE_ACCESS_DENIED_OBJECT OD 6
SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT OU 7
SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT OL 8
flags
Flags define how the ace can be inherited. Flags are some combination of the following:
C smbcacls SDDL Flag
--------------------------------- -------- ---- ----
SEC_ACE_FLAG_OBJECT_INHERIT OI OI 0x01
SEC_ACE_FLAG_CONTAINER_INHERIT CI CI 0x02
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT NP NP 0x04
SEC_ACE_FLAG_INHERIT_ONLY IO IO 0x08
SEC_ACE_FLAG_INHERITED_ACE I ID 0x10
SEC_ACE_FLAG_VALID_INHERIT 0x0F
SEC_ACE_FLAG_SUCCESSFUL_ACCESS SA 0x40
SEC_ACE_FLAG_FAILED_ACCESS FA 0x80
mask
Mask defines the privilages granted to this sid for this object. Masks are some combination of the following:
FILE_READ_DATA 0x00000001
FILE_LIST_DIRECTORY 0x00000001
FILE_WRITE_DATA 0x00000002
FILE_ADD_FILE 0x00000002
FILE_APPEND_DATA 0x00000004
FILE_ADD_SUBDIRECTORY 0x00000004
FILE_READ_EA 0x00000008
FILE_WRITE_EA 0x00000010
FILE_EXECUTE 0x00000020
FILE_TRAVERSE 0x00000020
FILE_DELETE_CHILD 0x00000040
FILE_READ_ATTRIBUTES 0x00000080
FILE_WRITE_ATTRIBUTES 0x00000100
DELETE_ACCESS 0x00010000
READ_CONTROL_ACCESS 0x00020000
WRITE_DAC_ACCESS 0x00040000
WRITE_OWNER_ACCESS 0x00080000
SYNCHRONIZE_ACCESS 0x00100000
SYSTEM_SECURITY_ACCESS 0x01000000
MAXIMUM_ALLOWED_ACCESS 0x02000000
GENERIC_ALL_ACCESS 0x10000000
GENERIC_EXECUTE_ACCESS 0x20000000
GENERIC_WRITE_ACCESS 0x40000000
GENERIC_READ_ACCESS 0x80000000
For the smbcacls standard names and the windows permission interface this is a table of the corresponding Flags and Mask values:
smbcacls Windows Flag Mask
-------- -------------------- ---- ----------
FULL Full Control 0x13 0x001F01FF
CHANGE Modify 0x03 0x001301BF
READ Read & Execute 0x03 0x001200A9
READ List Folder Contents 0x02 0x001200A9
R Read 0x03 0x00120089
Write 0x03 0x00100116
For the windows advanced permission interface this is the corrisponding smbcacls standard names and flags:
Windows smbcacls Flag
--------------------------------- -------- ----
This folder only 0x0
This folder, subfolders and files OI CI 0x3
This folder and subfolders CI 0x2
This folder and files OI 0x1
Subfolders and files only OI CI IO 0xB
Subfolders only CI IO 0xA
Files only OI IO 0x9
For the windows advanced permission interface this is the corrisponding smbcacls standard names and mask:
Windows smbcacls Mask
--------------------------------- -------- ----------
Full Control FULL 0x001F01FF
Traverse Folder / Execute File 0x00100020
List Folder / Read Data 0x00100001
Read Attributes 0x00100080
Read Extended Attributes 0x00100008
Create Files / Write Data 0x00100002
Create Folders / Append Data 0x00100004
Write Attributes 0x00100100
Write Extended Attributes 0x00100010
Delete Subfolders and Files 0x00100040
Delete 0x00110000
Read Permissions 0x00120000
Change Permissions 0x00140000
Take Ownership 0x00180000
Example of using cacl on object "test":
my %cacl=$smb->cacl("test");
print $cacl{OWNER}."\n";
Matthew
More information about the samba-technical
mailing list