1NTFSSECAUDIT(8)             System Manager's Manual            NTFSSECAUDIT(8)
2
3
4

NAME

6       ntfssecaudit - NTFS Security Data Auditing
7

SYNOPSIS

9       ntfssecaudit [options] args
10
11       Where options is a combination of :
12              -a full auditing of security data (Linux only)
13              -b backup ACLs
14              -e setting extra backed-up parameters (in conjunction with -s)
15              -h displaying hexadecimal security descriptors saved in a file
16              -r recursing in a directory
17              -s setting backed-up ACLs
18              -u getting a user mapping proposal
19              -v verbose (very verbose if set twice)
20
21       and args define the parameters and the set of files acted upon.
22
23       Typing  secaudit  with  no args will display a summary of available op‐
24       tions.
25

DESCRIPTION

27       ntfssecaudit displays the ownership and permissions of a set  of  files
28       on an NTFS file system, and checks their consistency. It can be started
29       in terminal mode only (no graphical user interface is available.)
30
31       When a volume is required, it has to be unmounted, and the command  has
32       to  be  issued as root. The volume can be either a block device (i.e. a
33       disk partition) or an image file.
34
35       When acting on a directory or volume, the command may produce a lot  of
36       information. It is therefore advisable to redirect the output to a file
37       or pipe it to a text editor for examination.
38

OPTIONS

40       Below are the valid combinations of options and arguments that  ntfsse‐
41       caudit  accepts.  All the indicated arguments are mandatory and must be
42       unique (if wildcards are used, they must resolve to a single name.)
43
44       -h file
45              Displays in an human readable form the hexadecimal security  de‐
46              scriptors saved in file. This can be used to turn a verbose out‐
47              put into a very verbose output.
48
49       -a[rv] volume
50              Audits the volume : all the global security data on  volume  are
51              scanned  and  errors are displayed. If option -r is present, all
52              files and directories are also scanned and  their  relations  to
53              global  security  data  are  checked.  This can produce a lot of
54              data.
55
56              This option is not effective on volumes formatted for  old  NTFS
57              versions  (pre  NTFS  3.0). Such volumes have no global security
58              data.
59
60              When errors are signalled, it is advisable to repair the  volume
61              with an appropriate tool (such as chkdsk on Windows.)
62
63       [-v] volume file
64              Displays the security parameters of file : its interpreted Linux
65              mode (rwx flags in octal) and Posix ACL[1], its security key  if
66              any, and its security descriptor if verbose output.
67
68       -r[v] volume directory
69              displays the security parameters of all files and subdirectories
70              in directory : their interpreted Linux mode (rwx flags in octal)
71              and  Posix ACL[1], their security key if any, and their security
72              descriptor if verbose output.
73
74       -b[v] volume [directory]
75              Recursively extracts to standard output the NTFS ACLs  of  files
76              in volume and directory.
77
78       -s[ev] volume [backup-file]
79              Sets  the  NTFS ACLS as indicated in backup-file or standard in‐
80              put. The input data must have been created on Linux. With option
81              -e, also sets extra parameters (currently Windows attrib).
82
83       volume perms file
84              Sets  the  security  parameters  of  file to perms. Perms is the
85              Linux requested mode (rwx flags, expressed in octal form  as  in
86              chmod)  or  a  Posix ACL[1] (expressed like in setfacl -m). This
87              sets a new ACL which is effective for Linux and Windows.
88
89       -r[v] volume perms directory
90              Sets the security parameters of all files and subdirectories  in
91              directory  to  perms.  Perms  is  the  Linux requested mode (rwx
92              flags, expressed in octal form as in chmod), or a  Posix  ACL[1]
93              (expressed like in setfacl -m.) This sets new ACLs which are ef‐
94              fective for Linux and Windows.
95
96       [-v] mounted-file
97              Displays the security parameters of mounted-file  :  its  inter‐
98              preted Linux mode (rwx flags in octal) and Posix ACL[1], its se‐
99              curity key if any, and its security descriptor if  verbose  out‐
100              put. This is a special case which acts on a mounted file (or di‐
101              rectory) and does not require being root. The Posix  ACL  inter‐
102              pretation can only be displayed if the full path to mounted-file
103              from the root of the global file tree is provided.
104
105       -u[v] mounted-file
106              Displays a proposed contents for a user mapping file,  based  on
107              the  ownership parameters set by Windows on mounted-file, assum‐
108              ing this file was created on Windows by the user who  should  be
109              mapped  to the current Linux user. The displayed information has
110              to be copied to the file .NTFS-3G/UserMapping where .NTFS-3G  is
111              a hidden subdirectory of the root of the partition for which the
112              mapping is to be defined. This will cause the ownership of files
113              created  on  that  partition  to  be  the  same  as the original
114              mounted-file.
115

NOTE

117       [1] provided the POSIX ACL option was selected at compile time. A Posix
118       ACL  specification looks like "[d:]{ugmo}:[id]:[perms],..." where id is
119       a numeric user or group id, and perms an octal digit or a set from  the
120       letters r, w and x.
121              Example : "u::7,g::5,o:0,u:510:rwx,g:500:5,d:u:510:7"
122

EXAMPLES

124       Audit the global security data on /dev/sda1
125
126              ntfssecaudit -ar /dev/sda1
127
128       Display the ownership and permissions parameters for files in directory
129       /audio/music on device /dev/sda5, excluding sub-directories :
130
131              ntfssecaudit /dev/sda5 /audio/music
132
133       Set all files in directory /audio/music on device /dev/sda5  as  write‐
134       able by owner and read-only for everybody :
135
136              ntfssecaudit -r /dev/sda5 644 /audio/music
137
138

EXIT CODES

140       ntfssecaudit  exits  with  a value of 0 when no error was detected, and
141       with a value of 1 when an error was detected.
142

KNOWN ISSUES

144       Please see
145
146              https://github.com/tuxera/ntfs-3g/wiki/NTFS-3G-FAQ/
147
148       for common questions and known issues.  If you would find a new one  in
149       the latest release of the software then please send an email describing
150       it in detail. You can contact the development team on  the  ntfs-3g-de‐
151       vel@lists.sf.net address.
152

AUTHORS

154       ntfssecaudit has been developed by Jean-Pierre André.
155

THANKS

157       Several people made heroic efforts, often over five or more years which
158       resulted the ntfs-3g driver. Most  importantly  they  are  Anton  Alta‐
159       parmakov,  Richard  Russon,  Szabolcs Szakacsits, Yura Pakhuchiy, Yuval
160       Fledel, and the author of the groundbreaking FUSE  filesystem  develop‐
161       ment framework, Miklos Szeredi.
162

SEE ALSO

164       ntfsprogs(8), attr(5), getfattr(1)
165
166
167
168ntfssecaudit 1.5.0               February 2010                 NTFSSECAUDIT(8)
Impressum