<samba:parameter name="security mask"
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter controls what UNIX permission
bits can be modified when a Windows NT client is manipulating
the UNIX permission on a file using the native NT security
dialog box.</para>
<para>This parameter is applied as a mask (AND'ed with) to
the changed permission bits, thus preventing any bits not in
this mask from being modified. Essentially, zero bits in this
mask may be treated as a set of bits the user is not allowed
to change.</para>
<para>If not set explicitly this parameter is 0777, allowing
a user to modify all the user/group/world permissions on a file.
</para>
<para><emphasis>Note</emphasis> that users who can access the
Samba server through other means can easily bypass this
restriction, so it is primarily useful for standalone
"appliance" systems. Administrators of most normal systems will
probably want to leave it set to <constant>0777</constant>.</para>
<para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
<parameter moreinfo="none">force directory security mode</parameter></link>,
<link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory
security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
<parameter moreinfo="none">force security mode</parameter></link> parameters.</para>
<para>Default: <command moreinfo="none">security mask = 0777</command></para>
<para>Example: <command moreinfo="none">security mask = 0770</command></para>
</listitem>
</samba:parameter>