1SHARESEC(1) User Commands SHARESEC(1)
2
3
4
6 sharesec - Set or get share ACLs
7
9 sharesec {sharename} [-r, --remove=ACL] [-m, --modify=ACL]
10 [-a, --add=ACL] [-R, --replace=ACLs] [-D, --delete] [-v, --view]
11 [--view-all] [-M, --machine-sid] [-F, --force]
12 [-d, --debuglevel=DEBUGLEVEL] [-s, --configfile=CONFIGFILE]
13 [-l, --log-basename=LOGFILEBASE] [-S, --setsddl=STRING] [--viewsddl]
14 [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
15 [--configfile=CONFIGFILE] [--option=name=value]
16 [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
17
19 This tool is part of the samba(7) suite.
20
21 The sharesec program manipulates share permissions on SMB file shares.
22
24 The following options are available to the sharesec program. The format
25 of ACLs is described in the section ACL FORMAT
26
27 -a|--add=ACL
28 Add the ACEs specified to the ACL list.
29
30 -D|--delete
31 Delete the entire security descriptor.
32
33 -F|--force
34 Force storing the ACL.
35
36 -m|--modify=ACL
37 Modify existing ACEs.
38
39 -M|--machine-sid
40 Initialize the machine SID.
41
42 -r|--remove=ACL
43 Remove ACEs.
44
45 -R|--replace=ACLS
46 Overwrite an existing share permission ACL.
47
48 -v|--view
49 List a share acl
50
51 --view-all
52 List all share acls
53
54 -S|--setsddl=STRING
55 Set security descriptor by providing ACL in SDDL format.
56
57 --viewsddl
58 List a share acl in SDDL format.
59
60 -?|--help
61 Print a summary of command line options.
62
63 --usage
64 Display brief usage message.
65
66 -d|--debuglevel=DEBUGLEVEL
67 level is an integer from 0 to 10. The default value if this
68 parameter is not specified is 1 for client applications.
69
70 The higher this value, the more detail will be logged to the log
71 files about the activities of the server. At level 0, only critical
72 errors and serious warnings will be logged. Level 1 is a reasonable
73 level for day-to-day running - it generates a small amount of
74 information about operations carried out.
75
76 Levels above 1 will generate considerable amounts of log data, and
77 should only be used when investigating a problem. Levels above 3
78 are designed for use only by developers and generate HUGE amounts
79 of log data, most of which is extremely cryptic.
80
81 Note that specifying this parameter here will override the log
82 level parameter in the smb.conf file.
83
84 --debug-stdout
85 This will redirect debug output to STDOUT. By default all clients
86 are logging to STDERR.
87
88 --configfile=<configuration file>
89 The file specified contains the configuration details required by
90 the client. The information in this file can be general for client
91 and server or only provide client specific like options such as
92 client smb encrypt. See smb.conf for more information. The default
93 configuration file name is determined at compile time.
94
95 --option=<name>=<value>
96 Set the smb.conf(5) option "<name>" to value "<value>" from the
97 command line. This overrides compiled-in defaults and options read
98 from the configuration file. If a name or a value includes a space,
99 wrap whole --option=name=value into quotes.
100
101 -l|--log-basename=logdirectory
102 Base directory name for log/debug files. The extension ".progname"
103 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
104 file is never removed by the client.
105
106 --leak-report
107 Enable talloc leak reporting on exit.
108
109 --leak-report-full
110 Enable full talloc leak reporting on exit.
111
112 -V|--version
113 Prints the program version number.
114
116 The format of an ACL is one or more ACL entries separated by either
117 commas or newlines. An ACL entry is one of the following:
118
119 REVISION:<revision number>
120 OWNER:<sid or name>
121 GROUP:<sid or name>
122 ACL:<sid or name>:<type>/<flags>/<mask>
123
124
125 The revision of the ACL specifies the internal Windows NT ACL revision
126 for the security descriptor. If not specified it defaults to 1. Using
127 values other than 1 may cause strange behaviour.
128
129 The owner and group specify the owner and group SIDs for the object.
130 Share ACLs do not specify an owner or a group, so these fields are
131 empty.
132
133 ACLs specify permissions granted to the SID. This SID can be specified
134 in S-1-x-y-z format or as a name in which case it is resolved against
135 the server on which the file or directory resides. The type, flags and
136 mask values determine the type of access granted to the SID.
137
138 The type can be either ALLOWED or DENIED to allow/deny access to the
139 SID. The flags values are generally zero for share ACLs.
140
141 The mask is a value which expresses the access right granted to the
142 SID. It can be given as a decimal or hexadecimal value, or by using one
143 of the following text strings which map to the NT file permissions of
144 the same name.
145
146 • R - Allow read access
147
148 • W - Allow write access
149
150 • X - Execute permission on the object
151
152 • D - Delete the object
153
154 • P - Change permissions
155
156 • O - Take ownership
157
158
159 The following combined permissions can be specified:
160
161 • READ - Equivalent to 'RX' permissions
162
163 • CHANGE - Equivalent to 'RXWD' permissions
164
165 • FULL - Equivalent to 'RWXDPO' permissions
166
168 The sharesec program sets the exit status depending on the success or
169 otherwise of the operations performed. The exit status may be one of
170 the following values.
171
172 If the operation succeeded, sharesec returns and exit status of 0. If
173 sharesec couldn't connect to the specified server, or there was an
174 error getting or setting the ACLs, an exit status of 1 is returned. If
175 there was an error parsing any command line arguments, an exit status
176 of 2 is returned.
177
179 Add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724
180 on share:
181
182 host:~ # sharesec share -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
183
184
185 List all ACEs for share:
186
187 host:~ # sharesec share -v
188 REVISION:1
189 CONTROL:SR|DP
190 OWNER:
191 GROUP:
192 ACL:S-1-1-0:ALLOWED/0x0/FULL
193 ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0x0/FULL
194
195
197 This man page is part of version 4.15.2 of the Samba suite.
198
200 The original Samba software and related utilities were created by
201 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
202 Source project similar to the way the Linux kernel is developed.
203
204
205
206Samba 4.15.2 11/13/2021 SHARESEC(1)