1NTFSSECAUDIT(8) System Manager's Manual NTFSSECAUDIT(8)
2
3
4
6 ntfssecaudit - NTFS Security Data Auditing
7
9 ntfssecaudit [options] args
10
11 Where options is a combination of :
12 -a full auditing of security data (Linux only)
13 -b backup ACLs
14 -e setting extra backed-up parameters (in conjunction with -s)
15 -h displaying hexadecimal security descriptors saved in a file
16 -r recursing in a directory
17 -s setting backed-up ACLs
18 -u getting a user mapping proposal
19 -v verbose (very verbose if set twice)
20
21 and args define the parameters and the set of files acted upon.
22
23 Typing secaudit with no args will display a summary of available
24 options.
25
27 ntfssecaudit displays the ownership and permissions of a set of files
28 on an NTFS file system, and checks their consistency. It can be started
29 in terminal mode only (no graphical user interface is available.)
30
31 When a volume is required, it has to be unmounted, and the command has
32 to be issued as root. The volume can be either a block device (i.e. a
33 disk partition) or an image file.
34
35 When acting on a directory or volume, the command may produce a lot of
36 information. It is therefore advisable to redirect the output to a file
37 or pipe it to a text editor for examination.
38
40 Below are the valid combinations of options and arguments that ntfsse‐
41 caudit accepts. All the indicated arguments are mandatory and must be
42 unique (if wildcards are used, they must resolve to a single name.)
43
44 -h file
45 Displays in an human readable form the hexadecimal security
46 descriptors saved in file. This can be used to turn a verbose
47 output into a very verbose output.
48
49 -a[rv] volume
50 Audits the volume : all the global security data on volume are
51 scanned and errors are displayed. If option -r is present, all
52 files and directories are also scanned and their relations to
53 global security data are checked. This can produce a lot of
54 data.
55
56 This option is not effective on volumes formatted for old NTFS
57 versions (pre NTFS 3.0). Such volumes have no global security
58 data.
59
60 When errors are signalled, it is advisable to repair the volume
61 with an appropriate tool (such as chkdsk on Windows.)
62
63 [-v] volume file
64 Displays the security parameters of file : its interpreted Linux
65 mode (rwx flags in octal) and Posix ACL[1], its security key if
66 any, and its security descriptor if verbose output.
67
68 -r[v] volume directory
69 displays the security parameters of all files and subdirectories
70 in directory : their interpreted Linux mode (rwx flags in octal)
71 and Posix ACL[1], their security key if any, and their security
72 descriptor if verbose output.
73
74 -b[v] volume [directory]
75 Recursively extracts to standard output the NTFS ACLs of files
76 in volume and directory.
77
78 -s[ev] volume [backup-file]
79 Sets the NTFS ACLS as indicated in backup-file or standard
80 input. The input data must have been created on Linux. With
81 option -e, also sets extra parameters (currently Windows
82 attrib).
83
84 volume perms file
85 Sets the security parameters of file to perms. Perms is the
86 Linux requested mode (rwx flags, expressed in octal form as in
87 chmod) or a Posix ACL[1] (expressed like in setfacl -m). This
88 sets a new ACL which is effective for Linux and Windows.
89
90 -r[v] volume perms directory
91 Sets the security parameters of all files and subdirectories in
92 directory to perms. Perms is the Linux requested mode (rwx
93 flags, expressed in octal form as in chmod), or a Posix ACL[1]
94 (expressed like in setfacl -m.) This sets new ACLs which are
95 effective for Linux and Windows.
96
97 [-v] mounted-file
98 Displays the security parameters of mounted-file : its inter‐
99 preted Linux mode (rwx flags in octal) and Posix ACL[1], its
100 security key if any, and its security descriptor if verbose out‐
101 put. This is a special case which acts on a mounted file (or
102 directory) and does not require being root. The Posix ACL inter‐
103 pretation can only be displayed if the full path to mounted-file
104 from the root of the global file tree is provided.
105
106 -u[v] mounted-file
107 Displays a proposed contents for a user mapping file, based on
108 the ownership parameters set by Windows on mounted-file, assum‐
109 ing this file was created on Windows by the user who should be
110 mapped to the current Linux user. The displayed information has
111 to be copied to the file .NTFS-3G/UserMapping where .NTFS-3G is
112 a hidden subdirectory of the root of the partition for which the
113 mapping is to be defined. This will cause the ownership of files
114 created on that partition to be the same as the original
115 mounted-file.
116
118 [1] provided the POSIX ACL option was selected at compile time. A Posix
119 ACL specification looks like "[d:]{ugmo}:[id]:[perms],..." where id is
120 a numeric user or group id, and perms an octal digit or a set from the
121 letters r, w and x.
122 Example : "u::7,g::5,o:0,u:510:rwx,g:500:5,d:u:510:7"
123
125 Audit the global security data on /dev/sda1
126
127 ntfssecaudit -ar /dev/sda1
128
129 Display the ownership and permissions parameters for files in directory
130 /audio/music on device /dev/sda5, excluding sub-directories :
131
132 ntfssecaudit /dev/sda5 /audio/music
133
134 Set all files in directory /audio/music on device /dev/sda5 as write‐
135 able by owner and read-only for everybody :
136
137 ntfssecaudit -r /dev/sda5 644 /audio/music
138
139
141 ntfssecaudit exits with a value of 0 when no error was detected, and
142 with a value of 1 when an error was detected.
143
145 Please see
146
147 http://www.tuxera.com/community/ntfs-3g-faq/
148
149 for common questions and known issues. If you would find a new one in
150 the latest release of the software then please send an email describing
151 it in detail. You can contact the development team on the
152 ntfs-3g-devel@lists.sf.net address.
153
155 ntfssecaudit has been developed by Jean-Pierre André.
156
158 Several people made heroic efforts, often over five or more years which
159 resulted the ntfs-3g driver. Most importantly they are Anton Alta‐
160 parmakov, Richard Russon, Szabolcs Szakacsits, Yura Pakhuchiy, Yuval
161 Fledel, and the author of the groundbreaking FUSE filesystem develop‐
162 ment framework, Miklos Szeredi.
163
165 ntfsprogs(8), attr(5), getfattr(1)
166
167
168
169ntfssecaudit 1.5.0 February 2010 NTFSSECAUDIT(8)