1SHARESEC(1) User Commands SHARESEC(1)
2
6 sharesec - Set or get share ACLs
7
9 sharesec {sharename} [-r, --remove=ACL] [-m, --modify=ACL]
10 [-a, --add=ACL] [-R, --replace=ACLs] [-D, --delete] [-v, --view]
11 [-M, --machine-sid] [-F, --force] [-d, --debuglevel=DEBUGLEVEL]
12 [-s, --configfile=CONFIGFILE] [-l, --log-basename=LOGFILEBASE]
13 [-V, --version] [-?, --help] [--usage]
14
16 This tool is part of the samba(7) suite.
17 The sharesec program manipulates share permissions on SMB file shares.
19
21 The following options are available to the sharesec program. The format
22 of ACLs is described in the section ACL FORMAT
23 -a|--add=ACL
25 Add the ACEs specified to the ACL list.
26 -D|--delete
28 Delete the entire security descriptor.
29 -F|--force
31 Force storing the ACL.
32 -m|--modify=ACL
34 Modify existing ACEs.
35 -M|--machine-sid
37 Initialize the machine SID.
38 -r|--remove=ACL
40 Remove ACEs.
41 -R|--replace=ACLS
43 Overwrite an existing share permission ACL.
44 -h|--help
46 Print a summary of command line options.
47 -d|--debuglevel=level
49 level is an integer from 0 to 10. The default value if this
50 parameter is not specified is 0.
51 The higher this value, the more detail will be logged to the log
53 files about the activities of the server. At level 0, only critical
54 errors and serious warnings will be logged. Level 1 is a reasonable
55 level for day-to-day running - it generates a small amount of
56 information about operations carried out.
57 Levels above 1 will generate considerable amounts of log data, and
59 should only be used when investigating a problem. Levels above 3
60 are designed for use only by developers and generate HUGE amounts
61 of log data, most of which is extremely cryptic.
62 Note that specifying this parameter here will override the
64 smb.conf.5.html# parameter in the smb.conf file.
65 -V|--version
67 Prints the program version number.
68 -s|--configfile <configuration file>
70 The file specified contains the configuration details required by
71 the server. The information in this file includes server-specific
72 information such as what printcap file to use, as well as
73 descriptions of all the services that the server is to provide. See
74 smb.conf for more information. The default configuration file name
75 is determined at compile time.
76 -l|--log-basename=logdirectory
78 Base directory name for log/debug files. The extension ".progname"
79 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
80 file is never removed by the client.
81
83 The format of an ACL is one or more ACL entries separated by either
84 commas or newlines. An ACL entry is one of the following:
85 REVISION:<revision number>
87 OWNER:<sid or name>
88 GROUP:<sid or name>
89 ACL:<sid or name>:<type>/<flags>/<mask>
90 The revision of the ACL specifies the internal Windows NT ACL revision
93 for the security descriptor. If not specified it defaults to 1. Using
94 values other than 1 may cause strange behaviour.
95 The owner and group specify the owner and group SIDs for the object. If
97 a SID in the format S-1-x-y-z is specified this is used, otherwise the
98 name specified is resolved using the server on which the file or
99 directory resides.
100 ACLs specify permissions granted to the SID. This SID can be specified
102 in S-1-x-y-z format or as a name in which case it is resolved against
103 the server on which the file or directory resides. The type, flags and
104 mask values determine the type of access granted to the SID.
105 The type can be either ALLOWED or DENIED to allow/deny access to the
107 SID. The flags values are generally zero for share ACLs.
108 The mask is a value which expresses the access right granted to the
110 SID. It can be given as a decimal or hexadecimal value, or by using one
111 of the following text strings which map to the NT file permissions of
112 the same name.
113 · R - Allow read access
115 · W - Allow write access
117 · X - Execute permission on the object
119 · D - Delete the object
121 · P - Change permissions
123 · O - Take ownership
125 The following combined permissions can be specified:
128 · READ - Equivalent to ´RX´ permissions
130 · CHANGE - Equivalent to ´RXWD´ permissions
132 · FULL - Equivalent to ´RWXDPO´ permissions
134
136 The sharesec program sets the exit status depending on the success or
137 otherwise of the operations performed. The exit status may be one of
138 the following values.
139 If the operation succeeded, sharesec returns and exit status of 0. If
141 sharesec couldn´t connect to the specified server, or there was an
142 error getting or setting the ACLs, an exit status of 1 is returned. If
143 there was an error parsing any command line arguments, an exit status
144 of 2 is returned.
145
147 Add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724
148 on share:
149 host:~ # sharesec share -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
151 List all ACEs for share:
154 host:~ # sharesec share -v
156 REVISION:1
157 OWNER:(NULL SID)
158 GROUP:(NULL SID)
159 ACL:S-1-1-0:ALLOWED/0/0x101f01ff
160 ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
161
164 This man page is correct for version 3 of the Samba suite.
165
167 The original Samba software and related utilities were created by
168 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
169 Source project similar to the way the Linux kernel is developed.
170Samba 3.5 08/02/2011 SHARESEC(1)