Manual Pages
Table of Contents
na_fsecurity - Definition file for an fsecurity job
The fsecurity definition files describe an fsecurity job,
which is used as input to the na_fsecurity_apply(1) command,
and contains a list of tasks that will be run
against the file system. This file can have any convenient
name, and can be stored in any convenient location in the
local volumes. The name of the file is given as a parameter
to the na_fsecurity_apply(1) command.
The definition file can be located anywhere in the file
system, in either ASCII or Unicode format. The first line
is always the file's signature, with task definitions on
each subsequent line.
The file signature is currently cb56f6f4, and it will be
updated when new versions of the file are supported. It is
important that this is the only value on the line, including
spaces.
Each task is a comma-separated list of values that are
defined as follows:
type,subtype,"path",propagation mode,"security definition"
type
1 - Security Descriptor Definition Language (SDDL)
subtype
0 - Standard
1 - Storage-Level Access Guard (Guard)
path
The path to the target file system object, in double-quotes.
propagation mode
0 - Propagate inheritable permissions to all subfolders
and files
1 - Do not allow permissions on this file or folders to
be replaced (Not implemented)
2 - Replace existing permissions on all subfolders and
files with inheritable permissions
security definition
The security definition that will be applied to the specified
path. The format is described by the type field,
and is always enclosed in double-quotes.
For more information about SDDL syntax and proper formatting
of the security description value, see "Security
Descriptor String Format" at the following URL:
http://msdn2.microsoft.com/en-us/library/aa379567.aspx
NOTE This file can also be generated by the secedit
utility. It is available for download from the NOW
Tool Chest.
This is a sample fsecurity definition file which propagates
a security descriptor down the /vol/vol0/qtree hierarchy.
The definition allows Everyone full control, and
the second line sets a Guard security descriptor which
denies the ability to Write.
cb56f6f4
1,0,"/vol/vol0/qtree",0,"D:(A;CIOI;0x1f01ff;;;Everyone)"
1,1,"/vol/vol0/qtree",0,"D:(D;CIOI;0x000002;;;Everyone)"
Any changes take effect after running the na_fsecurity_apply(1)
command.
Changes are persistent across system reboots.
na_fsecurity(1)
Table of Contents