1SHARESEC(1) User Commands SHARESEC(1)
2
6 sharesec - Set or get share ACLs
7
9 sharesec {sharename} [-r, --remove=ACL] [-m, --modify=ACL]
10 [-a, --add=ACL] [-R, --replace=ACLs] [-D, --delete] [-v, --view]
11 [--view-all] [-M, --machine-sid] [-F, --force]
12 [-d, --debuglevel=DEBUGLEVEL] [-s, --configfile=CONFIGFILE]
13 [-l, --log-basename=LOGFILEBASE] [--version] [-?, --help] [--usage]
14 [-S, --setsddl=STRING] [-V, --viewsddl]
15
17 This tool is part of the samba(7) suite.
18 The sharesec program manipulates share permissions on SMB file shares.
20
22 The following options are available to the sharesec program. The format
23 of ACLs is described in the section ACL FORMAT
24 -a|--add=ACL
26 Add the ACEs specified to the ACL list.
27 -D|--delete
29 Delete the entire security descriptor.
30 -F|--force
32 Force storing the ACL.
33 -m|--modify=ACL
35 Modify existing ACEs.
36 -M|--machine-sid
38 Initialize the machine SID.
39 -r|--remove=ACL
41 Remove ACEs.
42 -R|--replace=ACLS
44 Overwrite an existing share permission ACL.
45 -v|--view
47 List a share acl
48 --view-all
50 List all share acls
51 -S|--setsddl=STRING
53 Set security descriptor by providing ACL in SDDL format.
54 -V|--viewsddl
56 List a share acl in SDDL format.
57 -?|--help
59 Print a summary of command line options.
60 -d|--debuglevel=level
62 level is an integer from 0 to 10. The default value if this
63 parameter is not specified is 0.
64 The higher this value, the more detail will be logged to the log
66 files about the activities of the server. At level 0, only critical
67 errors and serious warnings will be logged. Level 1 is a reasonable
68 level for day-to-day running - it generates a small amount of
69 information about operations carried out.
70 Levels above 1 will generate considerable amounts of log data, and
72 should only be used when investigating a problem. Levels above 3
73 are designed for use only by developers and generate HUGE amounts
74 of log data, most of which is extremely cryptic.
75 Note that specifying this parameter here will override the log
77 level parameter in the smb.conf file.
78 -V|--version
80 Prints the program version number.
81 -s|--configfile=<configuration file>
83 The file specified contains the configuration details required by
84 the server. The information in this file includes server-specific
85 information such as what printcap file to use, as well as
86 descriptions of all the services that the server is to provide. See
87 smb.conf for more information. The default configuration file name
88 is determined at compile time.
89 -l|--log-basename=logdirectory
91 Base directory name for log/debug files. The extension ".progname"
92 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
93 file is never removed by the client.
94 --option=<name>=<value>
96 Set the smb.conf(5) option "<name>" to value "<value>" from the
97 command line. This overrides compiled-in defaults and options read
98 from the configuration file.
99
101 The format of an ACL is one or more ACL entries separated by either
102 commas or newlines. An ACL entry is one of the following:
103 REVISION:<revision number>
105 OWNER:<sid or name>
106 GROUP:<sid or name>
107 ACL:<sid or name>:<type>/<flags>/<mask>
108 The revision of the ACL specifies the internal Windows NT ACL revision
111 for the security descriptor. If not specified it defaults to 1. Using
112 values other than 1 may cause strange behaviour.
113 The owner and group specify the owner and group SIDs for the object.
115 Share ACLs do not specify an owner or a group, so these fields are
116 empty.
117 ACLs specify permissions granted to the SID. This SID can be specified
119 in S-1-x-y-z format or as a name in which case it is resolved against
120 the server on which the file or directory resides. The type, flags and
121 mask values determine the type of access granted to the SID.
122 The type can be either ALLOWED or DENIED to allow/deny access to the
124 SID. The flags values are generally zero for share ACLs.
125 The mask is a value which expresses the access right granted to the
127 SID. It can be given as a decimal or hexadecimal value, or by using one
128 of the following text strings which map to the NT file permissions of
129 the same name.
130 • R - Allow read access
132 • W - Allow write access
134 • X - Execute permission on the object
136 • D - Delete the object
138 • P - Change permissions
140 • O - Take ownership
142 The following combined permissions can be specified:
145 • READ - Equivalent to 'RX' permissions
147 • CHANGE - Equivalent to 'RXWD' permissions
149 • FULL - Equivalent to 'RWXDPO' permissions
151
153 The sharesec program sets the exit status depending on the success or
154 otherwise of the operations performed. The exit status may be one of
155 the following values.
156 If the operation succeeded, sharesec returns and exit status of 0. If
158 sharesec couldn't connect to the specified server, or there was an
159 error getting or setting the ACLs, an exit status of 1 is returned. If
160 there was an error parsing any command line arguments, an exit status
161 of 2 is returned.
162
164 Add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724
165 on share:
166 host:~ # sharesec share -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
168 List all ACEs for share:
171 host:~ # sharesec share -v
173 REVISION:1
174 CONTROL:SR|DP
175 OWNER:
176 GROUP:
177 ACL:S-1-1-0:ALLOWED/0x0/FULL
178 ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0x0/FULL
179
182 This man page is part of version 4.14.5 of the Samba suite.
183
185 The original Samba software and related utilities were created by
186 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
187 Source project similar to the way the Linux kernel is developed.
188Samba 4.14.5 06/01/2021 SHARESEC(1)