1SETCIFSACL(1)                                                    SETCIFSACL(1)
2
3
4

NAME

6       setcifsacl  - Userspace helper to alter an ACL in a security descriptor
7       for Common Internet File System (CIFS)
8

SYNOPSIS

10          setcifsacl  [-v|-a|-D|-M|-S]  "{one  or  more  ACEs}"  {file  system
11          object}
12

DESCRIPTION

14       This tool is part of the cifs-utils suite.
15
16       setcifsacl is a userspace helper program for the Linux CIFS client file
17       system. It is intended to alter an ACL of a security descriptor  for  a
18       file  system object. Whether a security descriptor to be set is applied
19       or not is determined by the CIFS/SMB server.
20
21       This program uses a plugin to handle the  mapping  of  user  and  group
22       names  to  SIDs.  /etc/cifs-utils/idmap-plugin should be a symlink that
23       points to the correct plugin to use.
24

OPTIONS

26       -h     Print usage message and exit.
27
28       -v     Print version number and exit.
29
30       -a     Add one or more ACEs to an ACL of a security descriptor.  An ACE
31              is added even if the same ACE exists in the ACL.
32
33       -D     Delete  one  or  more ACEs from an ACL of a security descriptor.
34              Entire ACE has to match in an existing ACL for the  listed  ACEs
35              to be deleted.
36
37       -M     Modify  one  or  more ACEs from an ACL of a security descriptor.
38              SID and type are used to match for existing ACEs to be  modified
39              with the list of ACEs specified.
40
41       -S     Set an ACL of security descriptor with the list of ACEs Existing
42              ACL is replaced entirely with the specified ACEs.
43
44              Every ACE entry starts with "ACL:" One or more ACEs  are  speci‐
45              fied  within  double  quotes.   Multiple ACEs are separated by a
46              comma.
47
48              Following fields of an ACE can be modified with possible values:
49
50              · SID - Either a name or a raw SID value.
51
52              · type - ALLOWED  (0x0),  DENIED  (0x1),  OBJECT_ALLOWED  (0x5),
53                OBJECT_DENIED (0x6)
54
55              · flags    -    OBJECT_INHERIT_FLAG    (OI    or    0x1),   CON‐
56                TAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI
57                or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA
58                or 0x10) or a combination/OR of these values.
59
60              · mask  - Either one of FULL, CHANGE, READ, a combination of R W
61                X D P O, or a hex value.
62

EXAMPLES

64   Add an ACE
65          setcifsacl  -a  "ACL:CIFSTESTDOMuser2:DENIED/0x1/D" <file_name> set‐
66          cifsacl -a "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name>
67
68   Delete an ACE
69          setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
70
71   Modify an ACE
72          setcifsacl -M "ACL:CIFSTESTDOMuser1:ALLOWED/0x1f/CHANGE" <file_name>
73
74   Set an ACL
75          setcifsacl  -S   "ACL:CIFSTESTDOMAdministrator:0x0/0x0/FULL,ACL:CIF‐
76          STESTDOMuser2:0x0/0x0/FULL" <file_name>
77

NOTES

79       Kernel support for getcifsacl/setcifsacl utilities was initially intro‐
80       duced in the 2.6.37 kernel.
81

SEE ALSO

83       mount.cifs(8), getcifsacl(1)
84

AUTHOR

86       Shirish Pargaonkar wrote the setcifsacl program.
87
88       The Linux CIFS Mailing list is the preferred  place  to  ask  questions
89       regarding these programs.
90
91
92
93
94                                                                 SETCIFSACL(1)
Impressum