Convert 'Security' section of smb.conf to new format

[Samba/gebeck_regimport.git] / docs / docbook / smbdotconf / security / securitymask.xml

<samba:parameter name="security mask"
                 context="S"
                 xmlns:samba="http://samba.org/common">
<listitem>
    <para>This parameter controls what UNIX permission 
    bits can be modified when a Windows NT client is manipulating 
    the UNIX permission on a file using the native NT security 
    dialog box.</para>

    <para>This parameter is applied as a mask (AND'ed with) to 
    the changed permission bits, thus preventing any bits not in 
    this mask from being modified. Essentially, zero bits in this 
    mask may be treated as a set of bits the user is not allowed 
    to change.</para>

    <para>If not set explicitly this parameter is 0777, allowing
    a user to modify all the user/group/world permissions on a file.
    </para>

    <para><emphasis>Note</emphasis> that users who can access the 
    Samba server through other means can easily bypass this 
    restriction, so it is primarily useful for standalone 
    &quot;appliance&quot; systems.  Administrators of most normal systems will 
    probably want to leave it set to <constant>0777</constant>.</para>
                
    <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
    <parameter moreinfo="none">force directory security mode</parameter></link>, 
    <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory 
    security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
    <parameter moreinfo="none">force security mode</parameter></link> parameters.</para>

    <para>Default: <command moreinfo="none">security mask = 0777</command></para>

    <para>Example: <command moreinfo="none">security mask = 0770</command></para>
</listitem>
</samba:parameter>