From 75cb9a32f6822adbd689cc7a1f74feb8e966084a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 12 May 2003 05:15:08 +0000 Subject: [PATCH] Added info on File and Directory info. --- docs/docbook/projdoc/AccessControls.xml | 205 ++++++++++++++++++++++++++++++-- 1 file changed, 193 insertions(+), 12 deletions(-) diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index c903af4468e..f7445bdb4a4 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -60,20 +60,61 @@ shrink. Samba Access Control Facilities - Unix file and directory permissions - + Unix File and Directory Permissions + + + + Samba honours and implements Unix file system access controls. Users + who access a Samba server will do so as a particular MS Windows user. + This information is passed to the Samba server as part of the logon orr + connection setup process. Samba uses this user identity to validate + whether or not the user should be given access to file system resources + (files and directories). This chapter provides an overview for those + to whom the Unix permissions and controls are a little strange or unknown. + + - Samba Share Definitions - + Samba Share Definitions + + + + In configuring share settings and controls in the &smb.conf; file + the network administrator can exercise over-rides to native file + system permissions and behaviours. This can be handy and convenient + to affect behaviour that is more like what MS Windows NT users expect + but it is seldom the best way to achieve this. + The basic options and techniques are described herein. + + - Samba Share ACLs - + Samba Share ACLs + + + + Just like it is possible in MS Windows NT to set ACLs on shares + themselves, so it is possible to do this in Samba. + Very few people make use of this facility, yet it remains on of the + easiest ways to affect access controls (restrictions) and can often + do so with minimum invasiveness compared with other methods. + + - MS Windows ACLs through Unix POSIX ACLs - + MS Windows ACLs through Unix POSIX ACLs + + + + The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying + operating system supports them. If not, then this option will not be + available to you. Current Unix technology platforms have native support + for POSIX ACLs. There are patches for the Linux kernel that provide + this also. Sadly, few Linux paltforms ship today with native ACLs and + Extended Attributes enabled. This chapter has pertinent information + for users of platforms that support them. + + @@ -82,16 +123,156 @@ shrink. File System Access Controls -Explain here how Unix file and permissions work +Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP +implement a totally divergent file system technology from what is provided in the Unix operating system +environment. Firstly we should consider what the most significant differences are, then we shall look +at how Samba helps to bridge the differences. + + MS Windows NTFS Comparison with Unix File Systems + + + Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions + and permissions. It also means that if the MS Windows networking environment requires file system + behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating + that in a transparent and consistent manner. + + + + It is good news that Samba does this to a very large extent and on top of that provides a high degree + of optional configuration to over-ride the default behaviour. We will look at some of these over-rides, + but for the greater part we will stay withing the bounds of default behaviour. Those wishing to explore + to depths of control ability should review the &smb.conf; man page. + + + + File System Feature Comparison + + Name Space + + MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names + may be 1023 characters long. In MS Windows file extensions indicate particular file types, + in Unix this is not so rigorously observed as all names are considered arbitrary. + + + What MS Windows calls a Folder, Unix calls a directory, + + + + + Case Sensitivity + + MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name + and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case + Insensitive. + + + Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the + MS Windows file name behaviour, but it does so as a user application. The Unix file system + provides no mechanism to perform case insensitive file name lookups. MS Windows does this + by default. This means that Samba has to carry the processing overhead to provide features + that are NOT native to the Unix operating system environment. + + + Consider the following, all are unique Unix names but one single MS Windows file name: + + MYFILE.TXT + MyFile.txt + myfile.txt + + So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix + they can. So what should Samba do if all three are present? Answer, the one that is lexically + first will be accessible to MS Windows users, the others are invisible and unaccessible - any + other solution would be suicidal. + + + + + Directory Separators + + MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/' + as it's directory delimiter. This is transparently handled by Samba. + + + + + Drive Identification + + MS Windows products support a notion of drive letters, like C: to represent + disk partitions. Unix has NO concept if separate identifiers for file partitions since each + such file system is mounted to become part of the over-all directory tree. + The Unix directory tree begins at '/', just like the root of a DOS drive is specified like + C:\. + + + + + File Naming Conventions + + MS Windows generally never experiences file names that begin with a '.', while in Unix these + are commonly found in a user's home directory. Files that begin with a '.' are typically + either start up files for various Unix applications, or they may be files that contain + start-up configuration data. + + + + + Links and Short-Cuts + + MS Windows make use of "links and Short-Cuts" that are actually special types of files that will + redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory + links, but they are entirely different from what MS Windows users are used to. + + + Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An + operation (like read or write) will operate directly on the file referenced. Symbolic links are also + referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows + one physical file to be known simulataneously by more than one file name. + + + + + + There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort + in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the + purpose of Unix/Linux training/education. + + + + + + Managing Directories + + + There are three basic operations for managing directories, create, delete, rename. + + Action MS Windows Command Unix Command + ------ ------------------ ------------ + create md folder mkdir folder + delete rd folder rmdir folder + rename rename oldname newname mv oldname newname + + + + + + + File and Directory Access Control + + + Explain the anatomy of a directory listing, permissions and what they mean. + + + + Share Definition Access Controls -Explain here about the smb.conf [share] parameters +Explain here about the smb.conf [share] Access Control parameters, Mode and Mask parameters, force user/group, valid/invalid users, etc. @@ -241,7 +422,7 @@ Explain here about the smb.conf [share] parameters on the Properties entry at the bottom of the menu. This brings up the file properties dialog box. Click on the tab Security and you - will see three buttons, Permissions, + will see three buttons, Permissions, Auditing, and Ownership. The Auditing button will cause either an error message A requested privilege is not held @@ -539,7 +720,7 @@ Explain here about the smb.conf [share] parameters Common Errors -Stuff here +Stuff from mailing lists here -- 2.11.4.GIT