sharesec(1)

1SHARESEC(1)                      User Commands                     SHARESEC(1)
2
3
4

NAME

6       sharesec - Set or get share ACLs
7

SYNOPSIS

9       sharesec {sharename} [-r, --remove=ACL] [-m, --modify=ACL]
10        [-a, --add=ACL] [-R, --replace=ACLs] [-D, --delete] [-v, --view]
11        [--view-all] [-M, --machine-sid] [-F, --force]
12        [-d, --debuglevel=DEBUGLEVEL] [-s, --configfile=CONFIGFILE]
13        [-l, --log-basename=LOGFILEBASE] [-S, --setsddl=STRING] [--viewsddl]
14        [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
15        [--configfile=CONFIGFILE] [--option=name=value]
16        [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
17

DESCRIPTION

19       This tool is part of the samba(7) suite.
20
21       The sharesec program manipulates share permissions on SMB file shares.
22

OPTIONS

24       The following options are available to the sharesec program. The format
25       of ACLs is described in the section ACL FORMAT
26
27       -a|--add=ACL
28           Add the ACEs specified to the ACL list.
29
30       -D|--delete
31           Delete the entire security descriptor.
32
33       -F|--force
34           Force storing the ACL.
35
36       -m|--modify=ACL
37           Modify existing ACEs.
38
39       -M|--machine-sid
40           Initialize the machine SID.
41
42       -r|--remove=ACL
43           Remove ACEs.
44
45       -R|--replace=ACLS
46           Overwrite an existing share permission ACL.
47
48       -v|--view
49           List a share acl
50
51       --view-all
52           List all share acls
53
54       -S|--setsddl=STRING
55           Set security descriptor by providing ACL in SDDL format.
56
57       --viewsddl
58           List a share acl in SDDL format.
59
60       -?|--help
61           Print a summary of command line options.
62
63       --usage
64           Display brief usage message.
65
66       -d|--debuglevel=DEBUGLEVEL
67           level is an integer from 0 to 10. The default value if this
68           parameter is not specified is 1 for client applications.
69
70           The higher this value, the more detail will be logged to the log
71           files about the activities of the server. At level 0, only critical
72           errors and serious warnings will be logged. Level 1 is a reasonable
73           level for day-to-day running - it generates a small amount of
74           information about operations carried out.
75
76           Levels above 1 will generate considerable amounts of log data, and
77           should only be used when investigating a problem. Levels above 3
78           are designed for use only by developers and generate HUGE amounts
79           of log data, most of which is extremely cryptic.
80
81           Note that specifying this parameter here will override the log
82           level parameter in the smb.conf file.
83
84       --debug-stdout
85           This will redirect debug output to STDOUT. By default all clients
86           are logging to STDERR.
87
88       --configfile=<configuration file>
89           The file specified contains the configuration details required by
90           the client. The information in this file can be general for client
91           and server or only provide client specific like options such as
92           client smb encrypt. See smb.conf for more information. The default
93           configuration file name is determined at compile time.
94
95       --option=<name>=<value>
96           Set the smb.conf(5) option "<name>" to value "<value>" from the
97           command line. This overrides compiled-in defaults and options read
98           from the configuration file. If a name or a value includes a space,
99           wrap whole --option=name=value into quotes.
100
101       -l|--log-basename=logdirectory
102           Base directory name for log/debug files. The extension ".progname"
103           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
104           file is never removed by the client.
105
106       --leak-report
107           Enable talloc leak reporting on exit.
108
109       --leak-report-full
110           Enable full talloc leak reporting on exit.
111
112       -V|--version
113           Prints the program version number.
114

ACL FORMAT

116       The format of an ACL is one or more ACL entries separated by either
117       commas or newlines. An ACL entry is one of the following:
118
119                REVISION:<revision number>
120                OWNER:<sid or name>
121                GROUP:<sid or name>
122                ACL:<sid or name>:<type>/<flags>/<mask>
123
124
125       The revision of the ACL specifies the internal Windows NT ACL revision
126       for the security descriptor. If not specified it defaults to 1. Using
127       values other than 1 may cause strange behaviour.
128
129       The owner and group specify the owner and group SIDs for the object.
130       Share ACLs do not specify an owner or a group, so these fields are
131       empty.
132
133       ACLs specify permissions granted to the SID. This SID can be specified
134       in S-1-x-y-z format or as a name in which case it is resolved against
135       the server on which the file or directory resides. The type, flags and
136       mask values determine the type of access granted to the SID.
137
138       The type can be either ALLOWED or DENIED to allow/deny access to the
139       SID. The flags values are generally zero for share ACLs.
140
141       The mask is a value which expresses the access right granted to the
142       SID. It can be given as a decimal or hexadecimal value, or by using one
143       of the following text strings which map to the NT file permissions of
144       the same name.
145
146              •   R - Allow read access
147
148              •   W - Allow write access
149
150              •   X - Execute permission on the object
151
152              •   D - Delete the object
153
154              •   P - Change permissions
155
156              •   O - Take ownership
157
158
159       The following combined permissions can be specified:
160
161              •   READ - Equivalent to 'RX' permissions
162
163              •   CHANGE - Equivalent to 'RXWD' permissions
164
165              •   FULL - Equivalent to 'RWXDPO' permissions
166

EXIT STATUS

168       The sharesec program sets the exit status depending on the success or
169       otherwise of the operations performed. The exit status may be one of
170       the following values.
171
172       If the operation succeeded, sharesec returns and exit status of 0. If
173       sharesec couldn't connect to the specified server, or there was an
174       error getting or setting the ACLs, an exit status of 1 is returned. If
175       there was an error parsing any command line arguments, an exit status
176       of 2 is returned.
177

EXAMPLES

179       Add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724
180       on share:
181
182                host:~ # sharesec share -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
183
184
185       List all ACEs for share:
186
187                host:~ # sharesec share -v
188                REVISION:1
189                CONTROL:SR|DP
190                OWNER:
191                GROUP:
192                ACL:S-1-1-0:ALLOWED/0x0/FULL
193                ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0x0/FULL
194
195

VERSION

197       This man page is part of version 4.16.2 of the Samba suite.
198

AUTHOR

200       The original Samba software and related utilities were created by
201       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
202       Source project similar to the way the Linux kernel is developed.
203
204
205
206Samba 4.16.2                      06/13/2022                       SHARESEC(1)