setcifsacl

setcifsacl [OPTIONS] PATHNAME
Where OPTIONS include:
-s, --set <file>
-m, --modify <acl_entries>
-x, --remove <acl_entries>
-d, --default <acl_entries>
-k, --mask <acl_entries>
-r, --recursive
-v, --verbose
-D, --debug
-V, --version
-h, --help

PATHNAME is the path to the file or directory on the mounted CIFS/SMB share.
ACL_ENTRIES follow specific formats like "user::perms", "user:name:perms", or "S-1-5-21-XXX:type:perms".

--set
    Read ACL entries from the specified <file> and apply them to the target PATHNAME. The file should contain ACL entries in the same format as used with --modify.

--modify
    Modify the existing ACL entries on the target PATHNAME. <acl_entries> can be a comma-separated list of entries (e.g., 'user:john:rw,group:finance:r'). This option adds or updates specific ACLs.

--remove
    Remove the specified ACL entries from the target PATHNAME. <acl_entries> should match existing entries to be removed.

--default
    Set, modify, or remove default ACL entries on a directory. These entries are inherited by newly created files and subdirectories within that directory.

--mask
    Set or modify the ACL mask. While Windows ACLs don't have a direct 'mask' concept like POSIX ACLs, this option might be used for compatibility or specific Samba configurations.

-r, --recursive
    Apply the ACL changes recursively to all subdirectories and files within the specified PATHNAME.

-v, --verbose
    Enable verbose output, showing more details about the operations being performed.

-D, --debug
    Enable debugging output, providing even more detailed information, useful for troubleshooting.

-V, --version
    Display the version information of the setcifsacl utility and exit.

-h, --help
    Display a help message with usage instructions and exit.

The setcifsacl command is a utility from the cifs-utils package designed to manage Windows-style Access Control Lists (ACLs) on files and directories residing on CIFS/SMB network shares mounted on a Linux system. Unlike traditional Linux chmod or setfacl which manage POSIX permissions or POSIX ACLs, setcifsacl directly manipulates the security descriptors stored on the CIFS/SMB server.

It allows administrators to set, modify, or remove specific ACL entries for users, groups, or SIDs (Security Identifiers), providing granular control over permissions. This is crucial in mixed environments where Windows clients and Linux systems need to share data and maintain consistent access control. For setcifsacl to function correctly, the CIFS/SMB filesystem must be mounted with the cifsacl option, enabling the kernel to communicate ACL requests to the server.

The target CIFS/SMB share must be mounted with the cifsacl option (e.g., mount -t cifs //server/share /mnt/share -o cifsacl). Without this option, setcifsacl will not be able to communicate with the server to modify ACLs.

ACL changes made with setcifsacl directly affect the Windows-style security descriptors on the server, which may not always align perfectly with traditional POSIX permissions displayed by ls -l. Tools like getcifsacl are needed to view these Windows-style ACLs.

Proper SID (Security Identifier) mapping between Linux users/groups and Windows SIDs is crucial for correct functionality. This often requires careful configuration of Samba's idmap backend or ensuring proper Active Directory integration. Incorrect mapping can lead to unexpected permission issues or failures in setting ACLs. Not all CIFS/SMB servers fully support all ACL features that setcifsacl might attempt to use.

The acl_entries argument often takes a specific format. For example, "user:DOMAIN\User:rwx" for a specific user, or "S-1-5-21-XXX:allow:F" for a SID with full control. Permissions can be 'rwx' (read, write, execute), 'R' (Read), 'W' (Write), 'X' (Execute), 'C' (Change), 'F' (Full Control), 'M' (Modify), 'P' (Partial/Execute). The 'type' can be 'allow' or 'deny'. This flexibility allows precise control matching Windows security descriptors.

When using 'rwx' style permissions, setcifsacl translates these to the corresponding Windows generic or specific access rights. For example, 'r' usually maps to FILE_GENERIC_READ, 'w' to FILE_GENERIC_WRITE, and 'x' to FILE_GENERIC_EXECUTE. Full control ('F') encompasses all possible rights.

The setcifsacl command is part of the cifs-utils package, which provides a collection of tools for mounting and managing CIFS/SMB filesystems on Linux. It was developed to extend Linux's capabilities to interact more seamlessly with Windows-based network shares, specifically by providing native command-line utilities for managing Windows-style ACLs, which are fundamental to security on SMB/CIFS. Its development aligns with the ongoing effort to improve interoperability between Linux and Windows environments, especially for server and client roles dealing with shared storage.

getcifsacl(1), smbcacls(8), getfacl(1), setfacl(1), chmod(1), chown(1), mount.cifs(8)