blob: 669828e5432c1d7869768e5c95bec8aa81619eaa
1 | .\" Copyright (c) 2007-2009 Jean-Pierre André. |
2 | .\" This file may be copied under the terms of the GNU Public License. |
3 | .\" |
4 | .TH NTFS-3G.SECAUDIT 8 "February 2010" "ntfs-3g.secaudit 1.4.1" |
5 | .SH NAME |
6 | ntfs-3g.secaudit \- NTFS Security Data Auditing |
7 | .SH SYNOPSIS |
8 | .B ntfs-3g.secaudit |
9 | \fB[\fIoptions\fP\fB]\fR |
10 | .I args |
11 | .PP |
12 | Where \fIoptions\fP is a combination of : |
13 | .RS |
14 | -a full auditing of security data (Linux only) |
15 | .RE |
16 | .RS |
17 | -b backup ACLs |
18 | .RE |
19 | .RS |
20 | -e setting extra backed-up parameters (in conjunction with -s) |
21 | .RE |
22 | .RS |
23 | -h displaying hexadecimal security descriptors saved in a file |
24 | .RE |
25 | .RS |
26 | -r recursing in a directory |
27 | .RE |
28 | .RS |
29 | -s setting backed-up ACLs |
30 | .RE |
31 | .RS |
32 | -u getting a user mapping proposal |
33 | .RE |
34 | .RS |
35 | -v verbose (very verbose if set twice) |
36 | .RE |
37 | .PP |
38 | and args define the parameters and the set of files acted upon. |
39 | .PP |
40 | Typing secaudit with no args will display a summary of available options. |
41 | .SH DESCRIPTION |
42 | \fBntfs-3g.secaudit\fR |
43 | displays the ownership and permissions of a set of files on an NTFS |
44 | file system, and checks their consistency. It can be started in terminal |
45 | mode only (no graphical user interface is available.) |
46 | .PP |
47 | When a \fIvolume\fR is required, it has to be unmounted, and the command |
48 | has to be issued as \fBroot\fP. The \fIvolume\fR can be either a block |
49 | device (i.e. a disk partition) or an image file. |
50 | .PP |
51 | When acting on a directory or volume, the command may produce a lot |
52 | of information. It is therefore advisable to redirect the output to |
53 | a file or pipe it to a text editor for examination. |
54 | .SH OPTIONS |
55 | Below are the valid combinations of options and arguments that |
56 | \fBntfs-3g.secaudit\fR accepts. All the indicated arguments are |
57 | mandatory and must be unique (if wildcards are used, they must |
58 | resolve to a single name.) |
59 | .TP |
60 | \fB-h\fP \fIfile\fP |
61 | Displays in an human readable form the hexadecimal security descriptors |
62 | saved in \fIfile\fP. This can be used to turn a verbose output into a very |
63 | verbose output. |
64 | .TP |
65 | \fB-a[rv]\fP \fIvolume\fP |
66 | Audits the volume : all the global security data on \fIvolume\fP are scanned |
67 | and errors are displayed. If option \fB-r\fP is present, all files and |
68 | directories are also scanned and their relations to global security data |
69 | are checked. This can produce a lot of data. |
70 | |
71 | This option is not effective on volumes formatted for old NTFS versions (pre |
72 | NTFS 3.0). Such volumes have no global security data. |
73 | |
74 | When errors are signalled, it is advisable to repair the volume with an |
75 | appropriate tool (such as \fBchkdsk\fP on Windows.) |
76 | .TP |
77 | \fB[-v]\fP \fIvolume\fP \fIfile\fP |
78 | Displays the security parameters of \fIfile\fP : its interpreted Linux mode |
79 | (rwx flags in octal) and Posix ACL[1], its security key if any, and its |
80 | security descriptor if verbose output. |
81 | .TP |
82 | \fB-r[v]\fP \fIvolume\fP \fIdirectory\fP |
83 | displays the security parameters of all files and subdirectories in |
84 | \fIdirectory\fP : their interpreted Linux mode (rwx flags in octal) and Posix |
85 | ACL[1], their security key if any, and their security descriptor if |
86 | verbose output. |
87 | .TP |
88 | .B -b[v] \fIvolume\fP \fI[directory]\fP |
89 | Recursively extracts to standard output the NTFS ACLs of files in \fIvolume\fP |
90 | and \fIdirectory\fP. |
91 | .TP |
92 | \fB-s[ev]\fP \fIvolume\fP \fI[backup-file]\fP |
93 | Sets the NTFS ACLS as indicated in \fIbackup-file\fP or standard input. The |
94 | input data must have been created on Linux. With option \fB-e\fP, also sets |
95 | extra parameters (currently Windows attrib). |
96 | .TP |
97 | \fIvolume\fP \fIperms\fP \fIfile\fP |
98 | Sets the security parameters of file to perms. Perms is the Linux |
99 | requested mode (rwx flags, expressed in octal form as in chmod) or |
100 | a Posix ACL[1] (expressed like in setfacl -m). This sets a new ACL |
101 | which is effective for Linux and Windows. |
102 | .TP |
103 | \fB-r[v]\fP \fIvolume\fP \fIperms\fP \fIdirectory\fP |
104 | Sets the security parameters of all files and subdirectories in |
105 | \fIdirectory\fP to \fIperms\fP. Perms is the Linux requested mode (rwx flags, |
106 | expressed in octal form as in \fBchmod\fP), or a Posix ACL[1] (expressed like |
107 | in \fBsetfacl -m\fP.) This sets new ACLs which are effective for Linux and |
108 | Windows. |
109 | .TP |
110 | \fB[-v]\fP \fImounted-file\fP |
111 | Displays the security parameters of \fImounted-file\fP : its interpreted |
112 | Linux mode (rwx flags in octal) and Posix ACL[1], its security key if any, |
113 | and its security descriptor if verbose output. This is a special case which |
114 | acts on a mounted file (or directory) and does not require being root. The |
115 | Posix ACL interpretation can only be displayed if the full path to |
116 | \fImounted-file\fP from the root of the global file tree is provided. |
117 | .TP |
118 | \fB-u[v]\fP \fImounted-file\fP |
119 | Displays a proposed contents for a user mapping file, based on the |
120 | ownership parameters set by Windows on \fImounted-file\fP, assuming |
121 | this file was created on Windows by the user who should be mapped to the |
122 | current Linux user. The displayed information has to be copied to the |
123 | file \fB.NTFS-3G/UserMapping\fP where \fB.NTFS-3G\fP is a hidden |
124 | subdirectory of the root of the partition for which the mapping is to |
125 | be defined. This will cause the ownership of files created on that |
126 | partition to be the same as the original \fImounted-file\fP. |
127 | .SH NOTE |
128 | [1] provided the POSIX ACL option was selected at compile time. A Posix ACL |
129 | specification looks like "\fB[d:]{ugmo}:[id]:[perms],...\fP" where id is a |
130 | numeric user or group id, and perms an octal digit or a set from the letters |
131 | r, w and x. |
132 | .RS |
133 | Example : "\fBu::7,g::5,o:0,u:510:rwx,g:500:5,d:u:510:7\fP" |
134 | .SH EXAMPLES |
135 | Audit the global security data on /dev/sda1 |
136 | .RS |
137 | .sp |
138 | .B ntfs-3g.secaudit -ar /dev/sda1 |
139 | .sp |
140 | .RE |
141 | Display the ownership and permissions parameters for files in directory |
142 | /audio/music on device /dev/sda5, excluding sub-directories : |
143 | .RS |
144 | .sp |
145 | .B ntfs-3g.secaudit /dev/sda5 /audio/music |
146 | .sp |
147 | .RE |
148 | Set all files in directory /audio/music on device /dev/sda5 as writeable |
149 | by owner and read-only for everybody : |
150 | .RS |
151 | .sp |
152 | .B ntfs-3g.secaudit -r /dev/sda5 644 /audio/music |
153 | .sp |
154 | .RE |
155 | .SH EXIT CODES |
156 | .B ntfs-3g.secaudit |
157 | exits with a value of 0 when no error was detected, and with a value |
158 | of 1 when an error was detected. |
159 | .SH KNOWN ISSUES |
160 | Please see |
161 | .RS |
162 | .sp |
163 | http://www.tuxera.com/community/ntfs-3g-faq/ |
164 | .sp |
165 | .RE |
166 | for common questions and known issues. |
167 | If you would find a new one in the latest release of |
168 | the software then please send an email describing it |
169 | in detail. You can contact the |
170 | development team on the ntfs\-3g\-devel@lists.sf.net |
171 | address. |
172 | .SH AUTHORS |
173 | .B ntfs-3g.secaudit |
174 | has been developed by Jean-Pierre André. |
175 | .SH THANKS |
176 | Several people made heroic efforts, often over five or more |
177 | years which resulted the ntfs-3g driver. Most importantly they are |
178 | Anton Altaparmakov, Richard Russon, Szabolcs Szakacsits, Yura Pakhuchiy, |
179 | Yuval Fledel, and the author of the groundbreaking FUSE filesystem development |
180 | framework, Miklos Szeredi. |
181 | .SH SEE ALSO |
182 | .BR ntfsprogs (8), |
183 | .BR attr (5), |
184 | .BR getfattr (1) |
185 |