'\" t .\" Title: sharesec .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 08/09/2022 .\" Manual: User Commands .\" Source: Samba 4.16.4 .\" Language: English .\" .TH "SHARESEC" "1" "08/09/2022" "Samba 4\&.16\&.4" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" sharesec \- Set or get share ACLs .SH "SYNOPSIS" .HP \w'\ 'u sharesec {sharename} [\-r,\ \-\-remove=ACL] [\-m,\ \-\-modify=ACL] [\-a,\ \-\-add=ACL] [\-R,\ \-\-replace=ACLs] [\-D,\ \-\-delete] [\-v,\ \-\-view] [\-\-view\-all] [\-M,\ \-\-machine\-sid] [\-F,\ \-\-force] [\-d,\ \-\-debuglevel=DEBUGLEVEL] [\-s,\ \-\-configfile=CONFIGFILE] [\-l,\ \-\-log\-basename=LOGFILEBASE] [\-S,\ \-\-setsddl=STRING] [\-\-viewsddl] [\-?|\-\-help] [\-\-usage] [\-d|\-\-debuglevel=DEBUGLEVEL] [\-\-debug\-stdout] [\-\-configfile=CONFIGFILE] [\-\-option=name=value] [\-l|\-\-log\-basename=LOGFILEBASE] [\-\-leak\-report] [\-\-leak\-report\-full] .SH "DESCRIPTION" .PP This tool is part of the \fBsamba\fR(7) suite\&. .PP The sharesec program manipulates share permissions on SMB file shares\&. .SH "OPTIONS" .PP The following options are available to the sharesec program\&. The format of ACLs is described in the section ACL FORMAT .PP \-a|\-\-add=ACL .RS 4 Add the ACEs specified to the ACL list\&. .RE .PP \-D|\-\-delete .RS 4 Delete the entire security descriptor\&. .RE .PP \-F|\-\-force .RS 4 Force storing the ACL\&. .RE .PP \-m|\-\-modify=ACL .RS 4 Modify existing ACEs\&. .RE .PP \-M|\-\-machine\-sid .RS 4 Initialize the machine SID\&. .RE .PP \-r|\-\-remove=ACL .RS 4 Remove ACEs\&. .RE .PP \-R|\-\-replace=ACLS .RS 4 Overwrite an existing share permission ACL\&. .RE .PP \-v|\-\-view .RS 4 List a share acl .RE .PP \-\-view\-all .RS 4 List all share acls .RE .PP \-S|\-\-setsddl=STRING .RS 4 Set security descriptor by providing ACL in SDDL format\&. .RE .PP \-\-viewsddl .RS 4 List a share acl in SDDL format\&. .RE .PP \-?|\-\-help .RS 4 Print a summary of command line options\&. .RE .PP \-\-usage .RS 4 Display brief usage message\&. .RE .PP \-d|\-\-debuglevel=DEBUGLEVEL .RS 4 \fIlevel\fR is an integer from 0 to 10\&. The default value if this parameter is not specified is 1 for client applications\&. .sp The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&. .sp Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&. .sp Note that specifying this parameter here will override the \m[blue]\fBlog level\fR\m[] parameter in the smb\&.conf file\&. .RE .PP \-\-debug\-stdout .RS 4 This will redirect debug output to STDOUT\&. By default all clients are logging to STDERR\&. .RE .PP \-\-configfile= .RS 4 The file specified contains the configuration details required by the client\&. The information in this file can be general for client and server or only provide client specific like options such as \m[blue]\fBclient smb encrypt\fR\m[]\&. See smb\&.conf for more information\&. The default configuration file name is determined at compile time\&. .RE .PP \-\-option== .RS 4 Set the \fBsmb.conf\fR(5) option "" to value "" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&. If a name or a value includes a space, wrap whole \-\-option=name=value into quotes\&. .RE .PP \-l|\-\-log\-basename=logdirectory .RS 4 Base directory name for log/debug files\&. The extension \fB"\&.progname"\fR will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&. .RE .PP \-\-leak\-report .RS 4 Enable talloc leak reporting on exit\&. .RE .PP \-\-leak\-report\-full .RS 4 Enable full talloc leak reporting on exit\&. .RE .PP \-V|\-\-version .RS 4 Prints the program version number\&. .RE .SH "ACL FORMAT" .PP The format of an ACL is one or more ACL entries separated by either commas or newlines\&. An ACL entry is one of the following: .PP .if n \{\ .RS 4 .\} .nf REVISION: OWNER: GROUP: ACL::// .fi .if n \{\ .RE .\} .PP The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor\&. If not specified it defaults to 1\&. Using values other than 1 may cause strange behaviour\&. .PP The owner and group specify the owner and group SIDs for the object\&. Share ACLs do not specify an owner or a group, so these fields are empty\&. .PP ACLs specify permissions granted to the SID\&. This SID can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&. .PP The type can be either ALLOWED or DENIED to allow/deny access to the SID\&. The flags values are generally zero for share ACLs\&. .PP The mask is a value which expresses the access right granted to the SID\&. It can be given as a decimal or hexadecimal value, or by using one of the following text strings which map to the NT file permissions of the same name\&. .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIR\fR \- Allow read access .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIW\fR \- Allow write access .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIX\fR \- Execute permission on the object .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fID\fR \- Delete the object .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIP\fR \- Change permissions .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIO\fR \- Take ownership .RE .sp .RE .PP The following combined permissions can be specified: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIREAD\fR \- Equivalent to \*(AqRX\*(Aq permissions .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fICHANGE\fR \- Equivalent to \*(AqRXWD\*(Aq permissions .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIFULL\fR \- Equivalent to \*(AqRWXDPO\*(Aq permissions .RE .SH "EXIT STATUS" .PP The sharesec program sets the exit status depending on the success or otherwise of the operations performed\&. The exit status may be one of the following values\&. .PP If the operation succeeded, sharesec returns and exit status of 0\&. If sharesec couldn\*(Aqt connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&. .SH "EXAMPLES" .PP Add full access for SID \fIS\-1\-5\-21\-1866488690\-1365729215\-3963860297\-17724\fR on \fIshare\fR: .sp .if n \{\ .RS 4 .\} .nf host:~ # sharesec share \-a S\-1\-5\-21\-1866488690\-1365729215\-3963860297\-17724:ALLOWED/0/FULL .fi .if n \{\ .RE .\} .PP List all ACEs for \fIshare\fR: .sp .if n \{\ .RS 4 .\} .nf host:~ # sharesec share \-v REVISION:1 CONTROL:SR|DP OWNER: GROUP: ACL:S\-1\-1\-0:ALLOWED/0x0/FULL ACL:S\-1\-5\-21\-1866488690\-1365729215\-3963860297\-17724:ALLOWED/0x0/FULL .fi .if n \{\ .RE .\} .SH "VERSION" .PP This man page is part of version 4\&.16\&.4 of the Samba suite\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.