用NT的安全對話框來觀察和改變UNIX許可權
Viewing and changing UNIX permissions using the NT security dialogs in Samba
2.0.4
在samba中用NT的安全對話框來觀察和改變UNIX許可權。
Jeremy Allison, Samba Team
12th April 1999
Table of Contents
------------------------------------------------------------------------------
--
Viewing and changing UNIX permissions using the NT security dialogs
用NT的安全對話框來觀察和改變UNIX許可權
-------------------------------------------------------------------
New in the Samba 2.0.4 release is the ability for Windows NT clients to use
their native security settings dialog box to view and modify the underlying
UNIX permissions.
這項smba 2.0.4版本提出的新功能可以使NT客戶用他們本地的安全設定對話框來觀察和修
改根本的UNIX許可權。
Note that this ability is careful not to compromise the security of the UNIX
host Samba is running on, and still obeys all the file permission rules that
a Samba administrator can set.
注意小心使用這項功能不會危及正在運行samba的UNIX主機安全,它仍然服從所有的samba
管理員設定的文件許可權規則。
In Samba 2.0.4 and above the default value of the parameter "nt acl support"
has been changed from "false" to "true", so manipulation of permissions is
turned on by default.
samba 2.0.4及以上版本已經把"nt acl support"參數的默認值從「false」改成了「true
」,所以說默認情況下許可權操作已經被允許了。
How to view file security on a Samba share
如何來觀察samba共享文件的安全性
------------------------------------------
From an NT 4.0 client, single-click with the right mouse button on any file
or directory in a Samba mounted drive letter or UNC path. When the menu
pops-up, click on the Properties entry at the bottom of the menu. This brings
up the normal file properties dialog box, but with Samba 2.0.4 this will have
a new tab along the top marked Security. Click on this tab and you will see
three buttons, Permissions, Auditing, and Ownership. The Auditing button will
cause either an error message "A requested privilege is not held by the
client" to appear if the user is not the NT Administrator, or a dialog which
is intended to allow an Administrator to add auditing requirements to a file
if the user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only useful button,
the Add button will not currently allow a list of users to be seen.
方法是:NT客戶用滑鼠右鍵單擊任何位於samba共享設備符或UNC路徑上的文件或目錄,在
彈出的菜單底部點擊「屬性」項,這時會出現普通文件屬性對話框,而samba 2.0.4會在
安全性標記的頂部給出一個新的表項。單擊這個表項可以看到三個按鈕,Permissions,
Auditing, 和 Ownership。點擊Auditing按鈕,如果用戶並不是NT管理員的話將會出現一
個錯誤信息:「客戶沒有足夠許可權」;如果用戶以管理員身份登錄的話會出現一個對話框
允許管理員對文件加入審核信息。此時,對話框中關於samba共享資源的部分將無效,因
為僅有的可用按鈕「Add」會不允許查看一份用戶列表。
Viewing file ownership
查看文件屬主
----------------------
Clicking on the "Ownership" button brings up a dialog box telling you who
owns the given file. The owner name will be of the form :
點擊「Ownership」按鈕你可以查看給出文件的屬主。屬主名稱以下面的形式列出:
"SERVERuser (Long name)"
Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password
database). Click on the Close button to remove this dialog.
此處的SERVER是samba伺服器的NetBIOS名,user是擁有這個文件的UNIX用戶名,而(Long
name)是用來識別用戶的描述字串(通常這部分內容可以在UNIX口令資料庫的GECOS欄位找
到)。這時在Close按鈕上點擊可以關閉這個對話框。
If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone".
如果把"nt acl support"參數設為「false」則文件屬主將以NT用戶「Everyone」來顯示
。
The Take Ownership button will not allow you to change the ownership of this
file to yourself (clicking on it will display a dialog box complaining that
the user you are currently logged onto the NT client cannot be found). The
reason for this is that changing the ownership of a file is a privilaged
operation in UNIX, available only to the root user. As clicking on this
button causes NT to attempt to change the ownership of a file to the current
user logged into the NT client this will not work with Samba at this time.
Take Ownership按鈕並不能把文件的屬主改變成你自己(在這個按鈕上點擊的話將顯示一
個對話框通知你當前登錄的身份並沒有找到,也就是和文件屬主身份不匹配)。原因是在
UNIX中只有root有權進行改變文件屬主的操作。點擊這個按鈕將使NT嘗試把文件的屬主改
成當前登錄的用戶身份,此時samba並不會進行這樣的操作。
There is an NT chown command that will work with Samba and allow a user with
Administrator privillage connected to a Samba 2.0.4 server as root to change
the ownership of files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the Seclib NT security library
written by Jeremy Allison of the Samba Team, available from the main Samba
ftp site.
有一個chown命令可以和samba一起使用使用戶可以管理員許可權聯接到samba 2.0.4並用
root身份改變位於本地NTFS文件系統或可映射的遠程NTFS及samba資源設備上的文件屬主
。當然這個由samba開發組成員Jeremy Allison寫的Seclib NT安全庫部件可以從samba的
主FTP站點獲得。
Viewing file or directory permissions
查看文件或目錄的許可權
-------------------------------------
The third button is the "Permissions" button. Clicking on this brings up a
dialog box that shows both the permissions and the UNIX owner of the file or
directory. The owner is displayed in the form :
對話框中第三個按鈕是「Permissions」按鈕。點擊它可以顯示文件或目錄的許可權及UNIX
屬主。屬主的顯示形式象下面這樣:
"SERVERuser (Long name)"
Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password
database).
此處的SERVER是samba伺服器的NetBIOS名,user是擁有這個文件的UNIX用戶名,而(Long
name)是用來識別用戶的描述字串(通常這部分內容可以在UNIX口令資料庫的GECOS欄位找
到)。
If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone" and the permissions will be shown as NT
"Full Control".
如果把"nt acl support"參數設為「false」則文件屬主將以NT用戶「Everyone」來顯示
,同時許可權將顯示NT的「Full Control」。
The permissions field is displayed differently for files and directories, so
I'll describe the way file permissions are displayed first.
文件和目錄顯示的許可權欄位有些區別。所以我先介紹一下文件許可權的情況。
File Permissions
文件許可權
----------------
The standard UNIX user/group/world triple and the correspinding "read",
"write", "execute" permissions triples are mapped by Samba into a three
element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into the global NT
group Everyone, followed by the list of permissions allowed for UNIX world.
The UNIX owner and group permissions are displayed as an NT user icon and an
NT local group icon respectively followed by the list of permissions allowed
for the UNIX user and group.
UNIX標準的user/group/world三項和「read」,「write」,「execute」三個許可權可以由
samba映射到NT存取控制表ACL中相應的「r」,「w」「x」位以對應NT的標準許可權項。
UNIX的world許可權被映射到NT全局組Everyone以跟接UNIX的world對應的許可權列表。UNIX的
owner和group許可權在NT中分別以用戶圖標及本地組圖標來顯示並跟接UNIX中user和group
對應的許可權列表。
As many UNIX permission sets don't map into common NT names such as "read",
"change" or "full control" then usually the permissions will be prefixed by
the words "Special Access" in the NT display list.
由於很多UNIX許可權設置不能映射到NT中稱為「read」「change」「full control」的常用
屬性,所以通常情況下這些許可權將在NT顯示列表中被加上關鍵字「Special Access」。
But what happens if the file has no permissions allowed for a particular UNIX
user group or world component ? In order to allow "no permissions" to be seen
and modified then Samba overloads the NT "Take Ownership" ACL attribute
(which has no meaning in UNIX) and reports a component with no permissions as
having the NT "O" bit set. This was chosen of course to make it look like a
zero, meaning zero permissions. More details on the decision behind this will
be given below.
但是在文件對於一些特殊的屬於user,group或者world的UNIX成員來說並沒有訪問許可權的
情形下將發生什麼樣的狀況呢?為了允許查看和修改「no permissions」許可權的文件,
samba越過NT的「Take Ownership」ACL屬性(在UNIX中此屬性無意義)報告與NT中設置位「
O」許可權類似的無許可權成分。之所以做出這樣的選擇,是為了使它看上去和零一樣。零,
即意味著零許可權。你可以在後面看到關於討論這個問題的更多細節。
Directory Permissions
目錄許可權
---------------------
Directories on an NT NTFS file system have two different sets of permissions.
The first set of permissions is the ACL set on the directory itself, this is
usually displayed in the first set of parentheses in the normal "RW" NT
style. This first set of permissions is created by Samba in exactly the same
way as normal file permissions are, described above, and is displayed in the
same way.
NTFS文件系統中的目錄有兩種不同的許可權設定。第一種是目錄本身的存取控制列有,它通
常在第一個設定括弧中以普通NT的「RW」風格來顯示。第一組許可權設定由samba以和普通
文件許可權一樣的方法來建立、描述和顯示。
The second set of directory permissions has no real meaning in the UNIX
permissions world and represents the "inherited" permissions that any file
created within this directory would inherit.
目錄許可權的第二種設定方法在UNIX許可權world中沒有實際意義,並且表現為和目錄一起建
立的任何文件應該繼承的「繼承」許可權。
Samba synthesises these inherited permissions for NT by returning as an NT
ACL the UNIX permission mode that a new file created by Samba on this share
would receive.
Samba 通過建立一個可以在共享資源上得到的新文件來返回類似於NT ACL一樣的UNIX許可權
模式,為NT合併從UNIX繼承而來的許可許可權。
Modifying file or directory permissions
