LinuxCommandLibrary

setcifsacl

Userspace helper to alter an ACL in a security descriptor for Common Internet File System (CIFS)

SYNOPSIS

setcifsacl [-v|-U|-a|-A|-D|-M|-S|-o|-g] "{one or more ACEs or a SID}" {file system object}

DESCRIPTION

This tool is part of the cifs-utils suite.

setcifsacl is a userspace helper program for the Linux CIFS client file system. It is intended to alter an ACL or set owner/group SID of a security descriptor for a file system object. Whether a security descriptor to be set is applied or not is determined by the CIFS/SMB server.

This program uses a plugin to handle the mapping of user and group names to SIDs. /etc/cifs-utils/idmap-plugin should be a symlink that points to the correct plugin to use.

OPTIONS

-h

Print usage message and exit.

-v

Print version number and exit.

-U

Apply ACE editing actions (-a, -D, -M, -S) to SACL (aUdit ACL). The actions are appliend to DACL if -U is not specified.

-a

Add one or more ACEs to an ACL of a security descriptor. An ACE is added even if the same ACE exists in the ACL.

-A

Add one or more ACEs to the ACL of a security descriptor, while maintaining the preferred order of the ACEs. The preferred order of ACEs are described in the following documentation: https://docs.microsoft.com/en-us/windows/win32/secauthz/order-of-aces-in-a-dacl

-D

Delete one or more ACEs from an ACL of a security descriptor. Entire ACE has to match in an existing ACL for the listed ACEs to be deleted.

-M

Modify one or more ACEs from an ACL of a security descriptor. SID and type are used to match for existing ACEs to be modified with the list of ACEs specified.

-S

Set an ACL of security descriptor with the list of ACEs Existing ACL is replaced entirely with the specified ACEs.

-o

Set owner SID to one specified as a command line argument.

-g

Set group SID to one specified as a command line argument.

The owner/group SID can be specified as a name or a raw SID value. Every ACE entry starts with "ACL:" One or more ACEs are specified within double quotes. Multiple ACEs are separated by a comma.

Following fields of a DACL ACE can be modified with possible values:

  • SID - Either a name or a raw SID value.

  • type - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)

  • flags - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10) or a combination/OR of these values.

  • mask - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value.

Following fields of a SACL ACE can be modified with possible values:

  • SID - Either a name or a raw SID value.

  • type - AUDIT (0x2), AUDIT_OBJECT (0x7), AUDIT_CALLBACK (0xD), AUDIT_CALLBACK_OBJECT (0xF), MANDATORY_LABEL (0x11), RESOURCE_ATTRIBUTE (0x12), SCOPED_POLICY_ID (0x13)

  • flags - SUCCESSFULL_ACCESS (SA or 0x40), FAILED_ACCESS (FA or 0x80)

  • mask - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value.

EXAMPLES

Add an ACE

setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>

setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>

setcifsacl -U -a "ACL:CIFSTESTDOM\user1:AUDIT/SA/D" <file_name>

Add an ACE and reorder ACL

setcifsacl -A "ACL:CIFSTESTDOMuser3:ALLOWED/OI/FULL" <file_name> setcifsacl -A "ACL:CIFSTESTDOMuser2:DENIED/0x1/D" <file_name> setcifsacl -A "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name>

After setting above mentioned ACEs, below is output of getcifsacl: ACL:CIFSTESTDOMuser2:DENIED/0x1/D ACL:CIFSTESTDOMuser3:ALLOWED/OI/FULL ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D

Delete an ACE

setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>

setcifsacl -U -D "ACL:S-1-1-0:0x2/FA/0xf01ff" <file_name>

Modify an ACE

setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name>

setcifsacl -U -M "ACL:CIFSTESTDOM\user1:AUDIT_OBJECT/SA/CHANGE" <file_name>

Set an ACL

setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name>

setcifsacl -U -S "ACL:CIFSTESTDOM\Administrator:AUDIT/SA/FULL,ACL:CIFSTESTDOM\user2:0x7/0x80/FULL" <file_name>

Set owner SID

setcifsacl -o "S-1-5-21-3338130290-3403600371-1423429424-2102" <file_name>

Set group SID

setcifsacl -g "Administrators@BUILTIN" <file_name>

NOTES

Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel.

SEE ALSO

mount.cifs(8), getcifsacl(1)

AUTHOR

Shirish Pargaonkar wrote the setcifsacl program.

The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.

Copied to clipboard