1SHARESEC(1)                      User Commands                     SHARESEC(1)
2
3
4

NAME

6       sharesec - Set or get share ACLs
7

SYNOPSIS

9       sharesec {sharename} [-r, --remove=ACL] [-m, --modify=ACL]
10        [-a, --add=ACL] [-R, --replace=ACLs] [-D, --delete] [-v, --view]
11        [--view-all] [-M, --machine-sid] [-F, --force]
12        [-d, --debuglevel=DEBUGLEVEL] [-s, --configfile=CONFIGFILE]
13        [-l, --log-basename=LOGFILEBASE] [--version] [-?, --help] [--usage]
14        [-S, --setsddl=STRING] [-V, --viewsddl]
15

DESCRIPTION

17       This tool is part of the samba(7) suite.
18
19       The sharesec program manipulates share permissions on SMB file shares.
20

OPTIONS

22       The following options are available to the sharesec program. The format
23       of ACLs is described in the section ACL FORMAT
24
25       -a|--add=ACL
26           Add the ACEs specified to the ACL list.
27
28       -D|--delete
29           Delete the entire security descriptor.
30
31       -F|--force
32           Force storing the ACL.
33
34       -m|--modify=ACL
35           Modify existing ACEs.
36
37       -M|--machine-sid
38           Initialize the machine SID.
39
40       -r|--remove=ACL
41           Remove ACEs.
42
43       -R|--replace=ACLS
44           Overwrite an existing share permission ACL.
45
46       -v|--view
47           List a share acl
48
49       --view-all
50           List all share acls
51
52       -S|--setsddl=STRING
53           Set security descriptor by providing ACL in SDDL format.
54
55       -V|--viewsddl
56           List a share acl in SDDL format.
57
58       -?|--help
59           Print a summary of command line options.
60
61       -d|--debuglevel=level
62           level is an integer from 0 to 10. The default value if this
63           parameter is not specified is 0.
64
65           The higher this value, the more detail will be logged to the log
66           files about the activities of the server. At level 0, only critical
67           errors and serious warnings will be logged. Level 1 is a reasonable
68           level for day-to-day running - it generates a small amount of
69           information about operations carried out.
70
71           Levels above 1 will generate considerable amounts of log data, and
72           should only be used when investigating a problem. Levels above 3
73           are designed for use only by developers and generate HUGE amounts
74           of log data, most of which is extremely cryptic.
75
76           Note that specifying this parameter here will override the log
77           level parameter in the smb.conf file.
78
79       -V|--version
80           Prints the program version number.
81
82       -s|--configfile=<configuration file>
83           The file specified contains the configuration details required by
84           the server. The information in this file includes server-specific
85           information such as what printcap file to use, as well as
86           descriptions of all the services that the server is to provide. See
87           smb.conf for more information. The default configuration file name
88           is determined at compile time.
89
90       -l|--log-basename=logdirectory
91           Base directory name for log/debug files. The extension ".progname"
92           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
93           file is never removed by the client.
94
95       --option=<name>=<value>
96           Set the smb.conf(5) option "<name>" to value "<value>" from the
97           command line. This overrides compiled-in defaults and options read
98           from the configuration file.
99

ACL FORMAT

101       The format of an ACL is one or more ACL entries separated by either
102       commas or newlines. An ACL entry is one of the following:
103
104                REVISION:<revision number>
105                OWNER:<sid or name>
106                GROUP:<sid or name>
107                ACL:<sid or name>:<type>/<flags>/<mask>
108
109
110       The revision of the ACL specifies the internal Windows NT ACL revision
111       for the security descriptor. If not specified it defaults to 1. Using
112       values other than 1 may cause strange behaviour.
113
114       The owner and group specify the owner and group SIDs for the object.
115       Share ACLs do not specify an owner or a group, so these fields are
116       empty.
117
118       ACLs specify permissions granted to the SID. This SID can be specified
119       in S-1-x-y-z format or as a name in which case it is resolved against
120       the server on which the file or directory resides. The type, flags and
121       mask values determine the type of access granted to the SID.
122
123       The type can be either ALLOWED or DENIED to allow/deny access to the
124       SID. The flags values are generally zero for share ACLs.
125
126       The mask is a value which expresses the access right granted to the
127       SID. It can be given as a decimal or hexadecimal value, or by using one
128       of the following text strings which map to the NT file permissions of
129       the same name.
130
131              ·   R - Allow read access
132
133              ·   W - Allow write access
134
135              ·   X - Execute permission on the object
136
137              ·   D - Delete the object
138
139              ·   P - Change permissions
140
141              ·   O - Take ownership
142
143
144       The following combined permissions can be specified:
145
146              ·   READ - Equivalent to 'RX' permissions
147
148              ·   CHANGE - Equivalent to 'RXWD' permissions
149
150              ·   FULL - Equivalent to 'RWXDPO' permissions
151

EXIT STATUS

153       The sharesec program sets the exit status depending on the success or
154       otherwise of the operations performed. The exit status may be one of
155       the following values.
156
157       If the operation succeeded, sharesec returns and exit status of 0. If
158       sharesec couldn't connect to the specified server, or there was an
159       error getting or setting the ACLs, an exit status of 1 is returned. If
160       there was an error parsing any command line arguments, an exit status
161       of 2 is returned.
162

EXAMPLES

164       Add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724
165       on share:
166
167                host:~ # sharesec share -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
168
169
170       List all ACEs for share:
171
172                host:~ # sharesec share -v
173                REVISION:1
174                CONTROL:SR|DP
175                OWNER:
176                GROUP:
177                ACL:S-1-1-0:ALLOWED/0x0/FULL
178                ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0x0/FULL
179
180

VERSION

182       This man page is part of version 4.11.4 of the Samba suite.
183

AUTHOR

185       The original Samba software and related utilities were created by
186       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
187       Source project similar to the way the Linux kernel is developed.
188
189
190
191Samba 4.11.4                      12/16/2019                       SHARESEC(1)
Impressum