Proposal to remove confusing "security XX mask" parameters for 4.0.0
Jeremy Allison
jra at samba.org
Wed Oct 3 18:00:36 MDT 2012
On Tue, Oct 02, 2012 at 09:41:01PM -0700, Jeremy Allison wrote:
>
> What I'd like to propose is that we
> remove the first 4 parameters:
>
> security mask
> force security mode
> directory security mask
> force directory security mode
>
> for 4.0.0, and leave only the original
>
> create mask
> force create mode
> directory mask
> force directory mode
>
> parameters, which will then be applied
> on both create and ACL set operations.
>
> This will simplify things quite a bit.
And here's the patch for 4.0.0rc3, currently
testing.
Jeremy.
-------------- next part --------------
>From d6e35dc39117e629aa035ae060e7d25796316c77 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Tue, 2 Oct 2012 09:21:17 -0700
Subject: [PATCH 1/6] Reformat spacing to be even.
---
source3/smbd/posix_acls.c | 15 ++++++++-------
1 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 016acf4..531313b 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1351,13 +1351,14 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
type.
****************************************************************************/
-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
- const struct share_params *params,
- const bool is_directory,
- const struct dom_sid *pfile_owner_sid,
- const struct dom_sid *pfile_grp_sid,
- const SMB_STRUCT_STAT *pst,
- bool setting_acl)
+static bool ensure_canon_entry_valid(connection_struct *conn,
+ canon_ace **pp_ace,
+ const struct share_params *params,
+ const bool is_directory,
+ const struct dom_sid *pfile_owner_sid,
+ const struct dom_sid *pfile_grp_sid,
+ const SMB_STRUCT_STAT *pst,
+ bool setting_acl)
{
canon_ace *pace;
canon_ace *pace_user = NULL;
--
1.7.7.3
>From c1ce91416fae6519b64aad36b8498040e02f12b2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Tue, 2 Oct 2012 09:55:09 -0700
Subject: [PATCH 2/6] Use is_default_acl variable in canonicalise_acl().
---
source3/smbd/posix_acls.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 531313b..b74c1b2 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2629,6 +2629,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
canon_ace *ace = NULL;
canon_ace *next_ace = NULL;
int entry_id = SMB_ACL_FIRST_ENTRY;
+ bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
SMB_ACL_ENTRY_T entry;
size_t ace_count;
@@ -2719,7 +2720,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
ace->trustee = sid;
ace->unix_ug = unix_ug;
ace->owner_type = owner_type;
- ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
DLIST_ADD(l_head, ace);
}
@@ -2738,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
* acl_mask. Ensure all DENY Entries are at the start of the list.
*/
- DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
+ DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access"));
for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
next_ace = ace->next;
--
1.7.7.3
>From 9ccf56aea9c5c1b89c4c459b40026302ddc92309 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Tue, 2 Oct 2012 10:12:45 -0700
Subject: [PATCH 3/6] Only apply masks on non-default ACL entries when setting
the ACL.
---
source3/smbd/posix_acls.c | 28 +++++++++++++++++++---------
1 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index b74c1b2..125234c 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1353,6 +1353,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
static bool ensure_canon_entry_valid(connection_struct *conn,
canon_ace **pp_ace,
+ bool is_default_acl,
const struct share_params *params,
const bool is_directory,
const struct dom_sid *pfile_owner_sid,
@@ -1368,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
pace_user = pace;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
@@ -1378,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
pace_group = pace;
} else if (pace->type == SMB_ACL_OTHER) {
@@ -1388,8 +1391,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
pace_other = pace;
}
}
@@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
pace->perms = pace_other->perms;
}
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
}
@@ -1466,7 +1472,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
pace->perms = pace_other->perms;
else
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IRGRP);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
}
@@ -1490,7 +1498,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
pace->attr = ALLOW_ACE;
if (setting_acl) {
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IROTH);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
} else
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
@@ -2531,7 +2541,7 @@ static bool unpack_canon_ace(files_struct *fsp,
print_canon_ace_list( "file ace - before valid", file_ace);
- if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
+ if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params,
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
@@ -2540,7 +2550,7 @@ static bool unpack_canon_ace(files_struct *fsp,
print_canon_ace_list( "dir ace - before valid", dir_ace);
- if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
+ if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params,
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
@@ -2729,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
* This next call will ensure we have at least a user/group/world set.
*/
- if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
+ if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params,
S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
psbuf, False))
goto fail;
--
1.7.7.3
>From 86d32250dedf8961f5fbee11290fd2e1bb437ae6 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Tue, 2 Oct 2012 10:15:54 -0700
Subject: [PATCH 4/6] When setting a non-default ACL, don't forget to apply
masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
---
source3/smbd/posix_acls.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 125234c..b00f1ec 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1395,6 +1395,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
apply_default_perms(params, is_directory, pace, S_IROTH);
}
pace_other = pace;
+
+ } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
+
+ /*
+ * Ensure create mask/force create mode is respected on set.
+ */
+
+ if (setting_acl && !is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
}
}
--
1.7.7.3
>From c3042857fd8b9286be92d49b1e662225564931e4 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 3 Oct 2012 14:49:01 -0700
Subject: [PATCH 5/6] Remove all uses of
lp_security_mask/lp_force_security_mode/lp_dir_security_mask/lp_force_dir_security_mode
and replace with the normal masks. Now these parameters
can be removed.
---
source3/smbd/posix_acls.c | 16 ++++++++--------
source3/smbd/trans2.c | 14 ++------------
2 files changed, 10 insertions(+), 20 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index b00f1ec..503727f 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1270,11 +1270,11 @@ static void apply_default_perms(const struct share_params *params,
/* Get the initial bits to apply. */
if (is_directory) {
- and_bits = lp_dir_security_mask(params->service);
- or_bits = lp_force_dir_security_mode(params->service);
+ and_bits = lp_dir_mask(params->service);
+ or_bits = lp_force_dir_mode(params->service);
} else {
- and_bits = lp_security_mask(params->service);
- or_bits = lp_force_security_mode(params->service);
+ and_bits = lp_create_mask(params->service);
+ or_bits = lp_force_create_mode(params->service);
}
/* Now bounce them into the S_USR space. */
@@ -3185,11 +3185,11 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file
/* Get the initial bits to apply. */
if (fsp->is_directory) {
- and_bits = lp_dir_security_mask(snum);
- or_bits = lp_force_dir_security_mode(snum);
+ and_bits = lp_dir_mask(snum);
+ or_bits = lp_force_dir_mode(snum);
} else {
- and_bits = lp_security_mask(snum);
- or_bits = lp_force_security_mode(snum);
+ and_bits = lp_create_mask(snum);
+ or_bits = lp_force_create_mode(snum);
}
*posix_perms = (((*posix_perms) & and_bits)|or_bits);
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 2bc85bf..90d07d4 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1364,28 +1364,18 @@ static NTSTATUS unix_perms_from_wire( connection_struct *conn,
switch (ptype) {
case PERM_NEW_FILE:
+ case PERM_EXISTING_FILE:
/* Apply mode mask */
ret &= lp_create_mask(SNUM(conn));
/* Add in force bits */
ret |= lp_force_create_mode(SNUM(conn));
break;
case PERM_NEW_DIR:
+ case PERM_EXISTING_DIR:
ret &= lp_dir_mask(SNUM(conn));
/* Add in force bits */
ret |= lp_force_dir_mode(SNUM(conn));
break;
- case PERM_EXISTING_FILE:
- /* Apply mode mask */
- ret &= lp_security_mask(SNUM(conn));
- /* Add in force bits */
- ret |= lp_force_security_mode(SNUM(conn));
- break;
- case PERM_EXISTING_DIR:
- /* Apply mode mask */
- ret &= lp_dir_security_mask(SNUM(conn));
- /* Add in force bits */
- ret |= lp_force_dir_security_mode(SNUM(conn));
- break;
}
*ret_perms = ret;
--
1.7.7.3
>From 3cb1c3c8393e5c72bf7995418cecca0c4a1249d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 3 Oct 2012 16:04:18 -0700
Subject: [PATCH 6/6] Remove the parameters:
security mask
force security mode
directory mask
force directory security mode
and update the docs.
---
docs-xml/smbdotconf/security/createmask.xml | 5 +--
docs-xml/smbdotconf/security/directorymask.xml | 8 ++--
.../smbdotconf/security/directorysecuritymask.xml | 32 ++---------------
docs-xml/smbdotconf/security/forcecreatemode.xml | 6 +++
.../smbdotconf/security/forcedirectorymode.xml | 6 +++
.../security/forcedirectorysecuritymode.xml | 38 ++-----------------
docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 +++-----------------
docs-xml/smbdotconf/security/securitymask.xml | 33 ++---------------
examples/scripts/shares/python/smbparm.py | 4 --
lib/param/param_functions.c | 4 --
lib/param/param_table.c | 36 ------------------
source3/include/proto.h | 4 --
source3/param/loadparm.c | 4 --
13 files changed, 33 insertions(+), 185 deletions(-)
diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml
index cf6864c..59e208d 100644
--- a/docs-xml/smbdotconf/security/createmask.xml
+++ b/docs-xml/smbdotconf/security/createmask.xml
@@ -28,9 +28,8 @@
</para>
<para>
- Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
- administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
- name="security mask"/>.
+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control
+ over permission changes it should be set to 0777.
</para>
</description>
diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml
index 7b67f79..2ebfc16 100644
--- a/docs-xml/smbdotconf/security/directorymask.xml
+++ b/docs-xml/smbdotconf/security/directorymask.xml
@@ -24,14 +24,14 @@
created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
+ <para>
+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control
+ over permission changes it should be set to 0777.
+ </para>
</description>
<related>force directory mode</related>
<related>create mask</related>
-<related>directory security mask</related>
<related>inherit permissions</related>
<value type="default">0755</value>
<value type="example">0775</value>
diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml
index 5ed85ae..0bd5d93 100644
--- a/docs-xml/smbdotconf/security/directorysecuritymask.xml
+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml
@@ -3,37 +3,11 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission bits
- will be set when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog
- box.</para>
-
<para>
- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
- directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
- Essentially, zero bits in this mask are a set of bits that will always be set to zero.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="directory mask"/> is now used instead to mask
+ any permission bit changes on directories.
<para>
- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
- file permissions regardless of the previous status of this bits on the file.
- </para>
-
- <para>If not set explicitly this parameter is set to 0777
- meaning a user is allowed to set all the user/group/world
- permissions on a directory.</para>
-
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to leave
- it as the default of <constant>0777</constant>.</para>
</description>
-<related>force directory security mode</related>
-<related>security mask</related>
-<related>force security mode</related>
-<value type="default">0777</value>
-<value type="example">0700</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml
index a3f1c2c..5a57a29 100644
--- a/docs-xml/smbdotconf/security/forcecreatemode.xml
+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml
@@ -10,6 +10,12 @@
mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
parameter is applied.</para>
+ <para>
+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+ permissions are changed on a file, not just when the file is created.
+ This replaces the now removed <parameter moreinfo="none">force security mode</parameter>.
+ </para>
+
<para>The example below would force all newly created files to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml
index 7effc0e..e5b37ea 100644
--- a/docs-xml/smbdotconf/security/forcedirectorymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml
@@ -12,6 +12,12 @@
mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
applied.</para>
+ <para>
+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+ permissions are changed on a directory, not just when the file is created.
+ This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>.
+ </para>
+
<para>The example below would force all created directories to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
index 2c15ec2..01e5fe9 100644
--- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -4,40 +4,10 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a directory using the native NT security dialog box.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="force directory mode"/> is now used instead to
+ force any permission changes on directories to include specific UNIX
+ permission bits.
<para>
- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
- name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
- of an OR.
- </para>
-
- <para>
- Essentially, this mask may be treated as a set of bits that, when modifying security on a directory,
- to will enable (1) any flags that are off (0) but which the mask has set to on (1).
- </para>
-
- <para>
- If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
- permissions on a directory without restrictions.
- </para>
-
- <note><para>
- Users who can access the Samba server through other means can easily bypass this restriction, so it is
- primarily useful for standalone "appliance" systems. Administrators of most normal systems will
- probably want to leave it set as 0000.
- </para></note>
-
</description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>directory security mask</related>
-<related>security mask</related>
-<related>force security mode</related>
-
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml
index 7451ef9..b6713b1 100644
--- a/docs-xml/smbdotconf/security/forcesecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml
@@ -4,38 +4,10 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security dialog box.
- </para>
-
- <para>
- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
- name="security mask"/>, which works similar like this one but uses logical AND instead of OR.
- </para>
-
- <para>
- Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
- the user has always set to be on.
- </para>
-
- <para>
- If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
- permissions on a file, with no restrictions.
- </para>
-
- <para><emphasis>
- Note</emphasis> that users who can access the Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most
- normal systems will probably want to leave this set to 0000.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="force create mode"/> is now used instead to
+ force any permission changes on files to include specific UNIX
+ permission bits.
+ </para>
</description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>security mask</related>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml
index 23bc280..d1e78be 100644
--- a/docs-xml/smbdotconf/security/securitymask.xml
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -4,36 +4,9 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
- UNIX permission on a file using the native NT security dialog box.
- </para>
-
- <para>
- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
- security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND.
- </para>
-
- <para>
- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
- file permissions regardless of the previous status of this bits on the file.
- </para>
-
- <para>
- If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="create mask"/> is now used instead to mask
+ any permission bit changes on files.
</para>
-
- <para><emphasis>
- Note</emphasis> that users who can access the Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone "appliance" systems. Administrators of
- most normal systems will probably want to leave it set to <constant>0777</constant>.
- </para>
</description>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>force security mode</related>
-
-<value type="default">0777</value>
-<value type="example">0770</value>
</samba:parameter>
diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py
index 8dca781..f0bc1ec 100644
--- a/examples/scripts/shares/python/smbparm.py
+++ b/examples/scripts/shares/python/smbparm.py
@@ -89,7 +89,6 @@ parm_table = {
"ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""),
"WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
"MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"),
- "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"),
"VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""),
"CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""),
"DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""),
@@ -102,7 +101,6 @@ parm_table = {
"DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"),
"LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""),
"WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"),
- "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"),
"ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"),
"PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"),
"MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"),
@@ -147,7 +145,6 @@ parm_table = {
"LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"),
"LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"),
"LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"),
- "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"),
"LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""),
"NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"),
"LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"),
@@ -184,7 +181,6 @@ parm_table = {
"POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"),
"INCLUDE" : ("include", SambaParmString, P_LOCAL, ""),
"ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"),
- "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"),
"ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"),
"USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""),
"MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"),
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index ce2f671..d5cd018 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share)
FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions)
FN_LOCAL_BOOL(acl_group_control, bAclGroupControl)
FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl)
-FN_LOCAL_INTEGER(security_mask, iSecurity_mask)
-FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode)
-FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask)
-FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode)
FN_LOCAL_INTEGER(defaultcase, iDefaultCase)
FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace)
FN_LOCAL_INTEGER(printing, iPrinting)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 325f295..01f65fe 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -957,24 +957,6 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
},
{
- .label = "security mask",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iSecurity_mask),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
- {
- .label = "force security mode",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iSecurity_force_mode),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
- {
.label = "directory mask",
.type = P_OCTAL,
.p_class = P_LOCAL,
@@ -1002,24 +984,6 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
},
{
- .label = "directory security mask",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iDir_Security_mask),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
- {
- .label = "force directory security mode",
- .type = P_OCTAL,
- .p_class = P_LOCAL,
- .offset = LOCAL_VAR(iDir_Security_force_mode),
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
- },
- {
.label = "force unknown acl user",
.type = P_BOOL,
.p_class = P_LOCAL,
diff --git a/source3/include/proto.h b/source3/include/proto.h
index b3fa55a..ac3d205 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int );
bool lp_durable_handles(int);
int lp_create_mask(int );
int lp_force_create_mode(int );
-int lp_security_mask(int );
-int lp_force_security_mode(int );
int lp_dir_mask(int );
int lp_force_dir_mode(int );
-int lp_dir_security_mask(int );
-int lp_force_dir_security_mode(int );
int lp_max_connections(int );
int lp_defaultcase(int );
int lp_minprintspace(int );
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 61606ce..42bf11d 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -191,12 +191,8 @@ static struct loadparm_service sDefault =
.iWriteCacheSize = 0,
.iCreate_mask = 0744,
.iCreate_force_mode = 0,
- .iSecurity_mask = 0777,
- .iSecurity_force_mode = 0,
.iDir_mask = 0755,
.iDir_force_mode = 0,
- .iDir_Security_mask = 0777,
- .iDir_Security_force_mode = 0,
.iMaxConnections = 0,
.iDefaultCase = CASE_LOWER,
.iPrinting = DEFAULT_PRINTING,
--
1.7.7.3
More information about the samba-technical
mailing list