1SETCIFSACL(1)                                                    SETCIFSACL(1)
2
3
4

NAME

6       setcifsacl  -  Userspace  helper  to alter components of a security de‐
7       scriptor for Common Internet File System (CIFS)
8

SYNOPSIS

10          setcifsacl [-v|-U|-a|-A|-D|-M|-S|-o|-g] "{one  or  more  ACEs  or  a
11          SID}" {file system object}
12

DESCRIPTION

14       This tool is part of the cifs-utils suite.
15
16       setcifsacl is a userspace helper program for the Linux CIFS client file
17       system. It is intended to alter an ACL or set owner/group SID of a  se‐
18       curity descriptor for a file system object. Whether a security descrip‐
19       tor to be set is applied or not is determined by the CIFS/SMB server.
20
21       This program uses a plugin to handle the  mapping  of  user  and  group
22       names  to  SIDs.  /etc/cifs-utils/idmap-plugin should be a symlink that
23       points to the correct plugin to use.
24

OPTIONS

26       -h     Print usage message and exit.
27
28       -v     Print version number and exit.
29
30       -U     Apply ACE editing actions (-a, -D, -M, -S) to SACL (aUdit  ACL).
31              The actions are appliend to DACL if -U is not specified.
32
33       -a     Add one or more ACEs to an ACL of a security descriptor.  An ACE
34              is added even if the same ACE exists in the ACL.
35
36       -A     Add one or more ACEs to the ACL of a security descriptor,  while
37              maintaining  the preferred order of the ACEs.  The preferred or‐
38              der of  ACEs  are  described  in  the  following  documentation:
39              https://docs.microsoft.com/en-us/windows/win32/secauthz/order-of-aces-in-a-dacl
40
41       -D     Delete one or more ACEs from an ACL of  a  security  descriptor.
42              Entire  ACE  has to match in an existing ACL for the listed ACEs
43              to be deleted.
44
45       -M     Modify one or more ACEs from an ACL of  a  security  descriptor.
46              SID  and type are used to match for existing ACEs to be modified
47              with the list of ACEs specified.
48
49       -S     Set an ACL of security descriptor with the list of ACEs Existing
50              ACL is replaced entirely with the specified ACEs.
51
52       -o     Set owner SID to one specified as a command line argument.
53
54       -g     Set group SID to one specified as a command line argument.
55
56              The  owner/group  SID  can  be  specified as a name or a raw SID
57              value.  Every ACE entry starts with "ACL:" One or more ACEs  are
58              specified  within double quotes.  Multiple ACEs are separated by
59              a comma.
60
61              Following fields of a DACL ACE can  be  modified  with  possible
62              values:
63
64SID - Either a name or a raw SID value.
65
66type  - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OB‐
67                JECT_DENIED (0x6)
68
69flags  -  OBJECT_INHERIT_FLAG  (OI  or   0x1),   CONTAINER_IN‐
70                HERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4),
71                INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10)
72                or a combination/OR of these values.
73
74mask  - Either one of FULL, CHANGE, READ, a combination of R W
75                X D P O, or a hex value.
76
77              Following fields of a SACL ACE can  be  modified  with  possible
78              values:
79
80SID - Either a name or a raw SID value.
81
82type  - AUDIT (0x2), AUDIT_OBJECT (0x7), AUDIT_CALLBACK (0xD),
83                AUDIT_CALLBACK_OBJECT  (0xF),  MANDATORY_LABEL   (0x11),   RE‐
84                SOURCE_ATTRIBUTE (0x12), SCOPED_POLICY_ID (0x13)
85
86flags  - SUCCESSFULL_ACCESS (SA or 0x40), FAILED_ACCESS (FA or
87                0x80)
88
89mask  - Either one of FULL, CHANGE, READ, a combination of R W
90                X D P O, or a hex value.
91

EXAMPLES

93   Add an ACE
94          setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>
95
96          setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>
97
98          setcifsacl -U -a "ACL:CIFSTESTDOM\user1:AUDIT/SA/D" <file_name>
99
100   Add an ACE and reorder ACL
101          setcifsacl   -A  "ACL:CIFSTESTDOMuser3:ALLOWED/OI/FULL"  <file_name>
102          setcifsacl -A "ACL:CIFSTESTDOMuser2:DENIED/0x1/D"  <file_name>  set‐
103          cifsacl -A "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name>
104
105          After  setting  above mentioned ACEs, below is output of getcifsacl:
106          ACL:CIFSTESTDOMuser2:DENIED/0x1/D           ACL:CIFSTESTDOMuser3:AL‐
107          LOWED/OI/FULL ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D
108
109   Delete an ACE
110          setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
111
112          setcifsacl -U -D "ACL:S-1-1-0:0x2/FA/0xf01ff" <file_name>
113
114   Modify an ACE
115          setcifsacl       -M      "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE"
116          <file_name>
117
118          setcifsacl  -U   -M   "ACL:CIFSTESTDOM\user1:AUDIT_OBJECT/SA/CHANGE"
119          <file_name>
120
121   Set an ACL
122          setcifsacl  -S  "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIF‐
123          STESTDOM\user2:0x0/0x0/FULL" <file_name>
124
125          setcifsacl      -U       -S       "ACL:CIFSTESTDOM\Administrator:AU‐
126          DIT/SA/FULL,ACL:CIFSTESTDOM\user2:0x7/0x80/FULL" <file_name>
127
128   Set owner SID
129          setcifsacl    -o    "S-1-5-21-3338130290-3403600371-1423429424-2102"
130          <file_name>
131
132   Set group SID
133          setcifsacl -g "Administrators@BUILTIN" <file_name>
134

NOTES

136       Kernel support for getcifsacl/setcifsacl utilities was initially intro‐
137       duced in the 2.6.37 kernel.
138

SEE ALSO

140       mount.cifs(8), getcifsacl(1)
141

AUTHOR

143       Shirish Pargaonkar wrote the setcifsacl program.
144
145       The Linux CIFS Mailing list is the preferred place to ask questions re‐
146       garding these programs.
147
148
149
150
151                                                                 SETCIFSACL(1)
Impressum