1 <samba:parameter xmlns:samba="http://samba.org/common">
2 <term><anchor id="SECURITYMASK"/>security mask (S)</term>
3 <listitem><para>This parameter controls what UNIX permission
4 bits can be modified when a Windows NT client is manipulating
5 the UNIX permission on a file using the native NT security
8 <para>This parameter is applied as a mask (AND'ed with) to
9 the changed permission bits, thus preventing any bits not in
10 this mask from being modified. Essentially, zero bits in this
11 mask may be treated as a set of bits the user is not allowed
14 <para>If not set explicitly this parameter is 0777, allowing
15 a user to modify all the user/group/world permissions on a file.
18 <para><emphasis>Note</emphasis> that users who can access the
19 Samba server through other means can easily bypass this
20 restriction, so it is primarily useful for standalone
21 "appliance" systems. Administrators of most normal systems will
22 probably want to leave it set to <constant>0777</constant>.</para>
24 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
25 <parameter moreinfo="none">force directory security mode</parameter></link>,
26 <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
27 security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
28 <parameter moreinfo="none">force security mode</parameter></link> parameters.</para>
30 <para>Default: <command moreinfo="none">security mask = 0777</command></para>
31 <para>Example: <command moreinfo="none">security mask = 0770</command></para>