1SETCIFSACL(1)                                                    SETCIFSACL(1)
2
3
4

NAME

6       setcifsacl  -  Userspace  helper  to alter components of a security de‐
7       scriptor for Common Internet File System (CIFS)
8

SYNOPSIS

10          setcifsacl [-v|-U|-a|-D|-M|-S|-o|-g] "{one or more ACEs or  a  SID}"
11          {file system object}
12

DESCRIPTION

14       This tool is part of the cifs-utils suite.
15
16       setcifsacl is a userspace helper program for the Linux CIFS client file
17       system. It is intended to alter an ACL or set owner/group SID of a  se‐
18       curity descriptor for a file system object. Whether a security descrip‐
19       tor to be set is applied or not is determined by the CIFS/SMB server.
20
21       This program uses a plugin to handle the  mapping  of  user  and  group
22       names  to  SIDs.  /etc/cifs-utils/idmap-plugin should be a symlink that
23       points to the correct plugin to use.
24

OPTIONS

26       -h     Print usage message and exit.
27
28       -v     Print version number and exit.
29
30       -U     Apply ACE editing actions (-a, -D, -M, -S) to SACL (aUdit  ACL).
31              The actions are appliend to DACL if -U is not specified.
32
33       -a     Add one or more ACEs to an ACL of a security descriptor.  An ACE
34              is added even if the same ACE exists in the ACL.
35
36       -D     Delete one or more ACEs from an ACL of  a  security  descriptor.
37              Entire  ACE  has to match in an existing ACL for the listed ACEs
38              to be deleted.
39
40       -M     Modify one or more ACEs from an ACL of  a  security  descriptor.
41              SID  and type are used to match for existing ACEs to be modified
42              with the list of ACEs specified.
43
44       -S     Set an ACL of security descriptor with the list of ACEs Existing
45              ACL is replaced entirely with the specified ACEs.
46
47       -o     Set owner SID to one specified as a command line argument.
48
49       -g     Set group SID to one specified as a command line argument.
50
51              The  owner/group  SID  can  be  specified as a name or a raw SID
52              value.  Every ACE entry starts with "ACL:" One or more ACEs  are
53              specified  within double quotes.  Multiple ACEs are separated by
54              a comma.
55
56              Following fields of a DACL ACE can  be  modified  with  possible
57              values:
58
59              • SID - Either a name or a raw SID value.
60
61              • type  - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OB‐
62                JECT_DENIED (0x6)
63
64              • flags  -  OBJECT_INHERIT_FLAG  (OI  or   0x1),   CONTAINER_IN‐
65                HERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4),
66                INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10)
67                or a combination/OR of these values.
68
69              • mask  - Either one of FULL, CHANGE, READ, a combination of R W
70                X D P O, or a hex value.
71
72              Following fields of a SACL ACE can  be  modified  with  possible
73              values:
74
75              • SID - Either a name or a raw SID value.
76
77              • type  - AUDIT (0x2), AUDIT_OBJECT (0x7), AUDIT_CALLBACK (0xD),
78                AUDIT_CALLBACK_OBJECT  (0xF),  MANDATORY_LABEL   (0x11),   RE‐
79                SOURCE_ATTRIBUTE (0x12), SCOPED_POLICY_ID (0x13)
80
81              • flags  - SUCCESSFULL_ACCESS (SA or 0x40), FAILED_ACCESS (FA or
82                0x80)
83
84              • mask  - Either one of FULL, CHANGE, READ, a combination of R W
85                X D P O, or a hex value.
86

EXAMPLES

88   Add an ACE
89          setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>
90
91          setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>
92
93          setcifsacl -U -a "ACL:CIFSTESTDOM\user1:AUDIT/SA/D" <file_name>
94
95   Delete an ACE
96          setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
97
98          setcifsacl -U -D "ACL:S-1-1-0:0x2/FA/0xf01ff" <file_name>
99
100   Modify an ACE
101          setcifsacl       -M      "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE"
102          <file_name>
103
104          setcifsacl  -U   -M   "ACL:CIFSTESTDOM\user1:AUDIT_OBJECT/SA/CHANGE"
105          <file_name>
106
107   Set an ACL
108          setcifsacl  -S  "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIF‐
109          STESTDOM\user2:0x0/0x0/FULL" <file_name>
110
111          setcifsacl      -U       -S       "ACL:CIFSTESTDOM\Administrator:AU‐
112          DIT/SA/FULL,ACL:CIFSTESTDOM\user2:0x7/0x80/FULL" <file_name>
113
114   Set owner SID
115          setcifsacl    -o    "S-1-5-21-3338130290-3403600371-1423429424-2102"
116          <file_name>
117
118   Set group SID
119          setcifsacl -g "Administrators@BUILTIN" <file_name>
120

NOTES

122       Kernel support for getcifsacl/setcifsacl utilities was initially intro‐
123       duced in the 2.6.37 kernel.
124

SEE ALSO

126       mount.cifs(8), getcifsacl(1)
127

AUTHOR

129       Shirish Pargaonkar wrote the setcifsacl program.
130
131       The Linux CIFS Mailing list is the preferred place to ask questions re‐
132       garding these programs.
133
134
135
136
137                                                                 SETCIFSACL(1)