From db62a159b8833a4f1aee0c9733fd263b6d239d53 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 3 Oct 2012 16:04:18 -0700 Subject: [PATCH] Remove the parameters: security mask force security mode directory security mask force directory security mode and update the docs. --- docs-xml/smbdotconf/security/createmask.xml | 5 +- docs-xml/smbdotconf/security/directorymask.xml | 8 ++-- .../smbdotconf/security/directorysecuritymask.xml | 52 +++++--------------- docs-xml/smbdotconf/security/forcecreatemode.xml | 6 +++ .../smbdotconf/security/forcedirectorymode.xml | 6 +++ .../security/forcedirectorysecuritymode.xml | 56 +++++----------------- docs-xml/smbdotconf/security/forcesecuritymode.xml | 54 +++++---------------- docs-xml/smbdotconf/security/securitymask.xml | 51 +++++--------------- examples/scripts/shares/python/smbparm.py | 4 -- lib/param/param_functions.c | 4 -- lib/param/param_table.c | 36 -------------- source3/include/proto.h | 4 -- source3/param/loadparm.c | 4 -- 13 files changed, 69 insertions(+), 221 deletions(-) rewrite docs-xml/smbdotconf/security/directorysecuritymask.xml (86%) rewrite docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml (85%) rewrite docs-xml/smbdotconf/security/forcesecuritymode.xml (85%) rewrite docs-xml/smbdotconf/security/securitymask.xml (85%) diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml index cf6864c78ec..59e208dccd6 100644 --- a/docs-xml/smbdotconf/security/createmask.xml +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -28,9 +28,8 @@ - Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the . + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control + over permission changes it should be set to 0777. diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml index 7b67f79214a..2ebfc16d14f 100644 --- a/docs-xml/smbdotconf/security/directorymask.xml +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -24,14 +24,14 @@ created from this parameter with the value of the parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the . + + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control + over permission changes it should be set to 0777. + force directory mode create mask -directory security mask inherit permissions 0755 0775 diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml dissimilarity index 86% index 5ed85ae3f86..0bd5d9327d0 100644 --- a/docs-xml/smbdotconf/security/directorysecuritymask.xml +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -1,39 +1,13 @@ - - - This parameter controls what UNIX permission bits - will be set when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. - - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask are a set of bits that will always be set to zero. - - - - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to set all the user/group/world - permissions on a directory. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. - - -force directory security mode -security mask -force security mode -0777 -0700 - + + + + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on directories. + + + + diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml index a3f1c2c1055..5a57a294afc 100644 --- a/docs-xml/smbdotconf/security/forcecreatemode.xml +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -10,6 +10,12 @@ mode after the mask set in the create mask parameter is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a file, not just when the file is created. + This replaces the now removed force security mode. + + The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml index 7effc0e3999..e5b37ea611f 100644 --- a/docs-xml/smbdotconf/security/forcedirectorymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -12,6 +12,12 @@ mask in the parameter directory mask is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a directory, not just when the file is created. + This replaces the now removed force directory security mode. + + The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml dissimilarity index 85% index 2c15ec2753a..01e5fe9a2ae 100644 --- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -1,43 +1,13 @@ - - - - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. - - - - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works in a similar manner to this one, but uses a logical AND instead - of an OR. - - - - Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). - - - - If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. - - - - Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. - - - - -0 -700 - -directory security mask -security mask -force security mode - - + + + + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on directories to include specific UNIX + permission bits. + + + diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml dissimilarity index 85% index 7451ef91ae8..b6713b10b07 100644 --- a/docs-xml/smbdotconf/security/forcesecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -1,41 +1,13 @@ - - - - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works similar like this one but uses logical AND instead of OR. - - - - Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. - - - - If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. - - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. - - - - -0 -700 - -force directory security mode -directory security mask -security mask - + + + + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on files to include specific UNIX + permission bits. + + + diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml dissimilarity index 85% index 23bc2808db4..d1e78bedfd5 100644 --- a/docs-xml/smbdotconf/security/securitymask.xml +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -1,39 +1,12 @@ - - - - This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works in a manner similar to this one but uses a logical OR instead of an AND. - - - - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - - If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. - - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to 0777. - - - -force directory security mode -directory security mask -force security mode - -0777 -0770 - + + + + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on files. + + + diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py index 8dca781ffcb..f0bc1ecb89d 100644 --- a/examples/scripts/shares/python/smbparm.py +++ b/examples/scripts/shares/python/smbparm.py @@ -89,7 +89,6 @@ parm_table = { "ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""), "WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"), "MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"), - "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"), "VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""), "CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""), "DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""), @@ -102,7 +101,6 @@ parm_table = { "DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"), "LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""), "WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"), - "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"), "ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"), "PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"), "MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"), @@ -147,7 +145,6 @@ parm_table = { "LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"), "LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"), "LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"), - "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"), "LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""), "NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"), "LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"), @@ -184,7 +181,6 @@ parm_table = { "POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"), "INCLUDE" : ("include", SambaParmString, P_LOCAL, ""), "ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"), - "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"), "ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"), "USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""), "MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"), diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c index ce2f671d738..d5cd0181c55 100644 --- a/lib/param/param_functions.c +++ b/lib/param/param_functions.c @@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share) FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions) FN_LOCAL_BOOL(acl_group_control, bAclGroupControl) FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl) -FN_LOCAL_INTEGER(security_mask, iSecurity_mask) -FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode) -FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask) -FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode) FN_LOCAL_INTEGER(defaultcase, iDefaultCase) FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace) FN_LOCAL_INTEGER(printing, iPrinting) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 325f2953423..01f65fef971 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -957,24 +957,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { .label = "directory mask", .type = P_OCTAL, .p_class = P_LOCAL, @@ -1002,24 +984,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "directory security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force directory security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { .label = "force unknown acl user", .type = P_BOOL, .p_class = P_LOCAL, diff --git a/source3/include/proto.h b/source3/include/proto.h index b3fa55a9143..ac3d2051006 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int ); bool lp_durable_handles(int); int lp_create_mask(int ); int lp_force_create_mode(int ); -int lp_security_mask(int ); -int lp_force_security_mode(int ); int lp_dir_mask(int ); int lp_force_dir_mode(int ); -int lp_dir_security_mask(int ); -int lp_force_dir_security_mode(int ); int lp_max_connections(int ); int lp_defaultcase(int ); int lp_minprintspace(int ); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 61606ce9d20..42bf11d4bce 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -191,12 +191,8 @@ static struct loadparm_service sDefault = .iWriteCacheSize = 0, .iCreate_mask = 0744, .iCreate_force_mode = 0, - .iSecurity_mask = 0777, - .iSecurity_force_mode = 0, .iDir_mask = 0755, .iDir_force_mode = 0, - .iDir_Security_mask = 0777, - .iDir_Security_force_mode = 0, .iMaxConnections = 0, .iDefaultCase = CASE_LOWER, .iPrinting = DEFAULT_PRINTING, -- 2.11.4.GIT