Skip to main content

Share Permissions

An authorization policy such as an access control list that describes what actions users that connect to this share are allowed to perform on the shared resource. Apart from the file system’s own permissions, you can control access on a per share basis by specifying one of the following configuration options:

  • permissions – Authorization policy in simple permissions format
  • security_descriptor – Authorization policy in SDDL format
note

The above options are mutually exclusive, so providing both options to a share will result in an invalid configuration.

By default, a share is given read-only access to the group ‘everyone’.

Simple Permissions

If no options are specified, a share is given read-only access to the group ‘everyone’. To configure custom permissions, you can use a comma-separated list of access-allowed entries in a simple syntax described below:

permissions = <id1>:<access1>, <id2>:<access2>, ...

<id> can be:

  • Fusion File Share predefined group (‘everyone’, ‘anonymous’ and ‘authenticatedusers’ are currently supported)
  • Fusion File Share user name: ‘new-user’
  • System group name: ‘@group’
  • Security identifier (SID): ‘*S-1-1-0’

<access> can be:

  • ‘read’ – grants Read, ReadAttributes, ReadControl, and Execute access
  • ‘change’ – additionally grants Write, WriteAttributes, Append, and Delete access
  • ‘full’ – additionally grants DeleteChild, WriteDAC, and WriteOwner access
  • ‘no’ – denies all access

Default: everyone:read

To configure a share with full access for ‘everyone’:

permissions = everyone:full

To configure a share with read-only access for ‘everyone’:

permissions = everyone:read

To configure a share with full access for ‘test-user’ only:

permissions = test-user:full

To configure a share with full access for ‘test-user’ and read-only access for all the other users:

permissions = test-user:full, everyone:read

To configure a share to allow null session (for null session, refer to the section NULL Sessions (Anonymous users))

permissions = anonymous:full

Null sessions are only allowed either full control or read-only access to disk shares.

The main limitation of this method is that it lacks granular control over access rights. For more fine grained control see section Security Descriptor.

Security Descriptor

This option controls access to a share similar to the configuration option ‘permissions’ defined in section. The difference however is that this option ‘security_descriptor’ accepts authorization policy in the form of SDDL string thus allowing granular control over access rights whereas ‘permissions’ provides high level access control.

To configure a share with full access for ‘everyone’:

security_descriptor = O:SYG:SYD:(A;;FA;;;WD)

To configure a share with read-only access for ‘everyone’:

security_descriptor = O:SYG:SYD:(A;;0x1200a9;;;WD)

To configure a share to allow null session (for null session, refer to the section NULL Sessions (Anonymous users))

security_descriptor = O:SYG:SYD:(A;;FA;;;AN)