When setting ACE flags, it is necessary to use the hex value "0x0", rather than simply not providing any flag:: ------------------------------ mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes -M "ACL:VPTC3\ptstest:ALLOWED//READ" ACE 'VPTC3\ptstest:ALLOWED//READ': bad named flags entry at 'READ' mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes -M "ACL:VPTC3\ptstest:ALLOWED/0x0/READ" mcrs3:/TCS # mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes REVISION:1 CONTROL:SR|DP OWNER:VPTC3\cifsuser GROUP:VPTC3\Domain Users ACL:VPTC3\Domain Admins:ALLOWED/CI/FULL ACL:VPTC3\Domain Admins:ALLOWED/OI|IO/RWDPO ACL:VPTC3\ptstest:ALLOWED/0x0/READ ACL:VPTC3\cifsuser:ALLOWED/CI/FULL ACL:VPTC3\cifsuser:ALLOWED/OI|IO/RWDPO mcrs3:/TCS # ------------------------------ For the mask, some human-readable labels exist -- RWXDPO/READ/WRITE/FULL -- but for unlabeled permission combinations, hex values must be used. An improvement may be to have a "--verbose" option, that allows to see which of the underlying permissions types are granted/denied, and the meaning of the hex values, such as: ------------------------------ ... ACE: VPTC3\ptstest:ALLOWED/0x0/READ User/group: VPTC3\ptstest Type: Allowed Flags: [ ] Object inherit 0x01 [ ] Container inherit 0x02 [ ] No propagate 0x04 [ ] Inherit only 0x08 Mask: 0x001200A9 [ ] Full control 0x001F01FF [x] Traverse folder / execute file 0x00100020 [x] List folder / read data 0x00100001 [x] Read attributes 0x00100080 [x] Read extended attributes 0x00100008 [ ] Create files / write data 0x00100002 [ ] Create folders / append data 0x00100004 [ ] Write attributes 0x00100100 [ ] Write extended attributes 0x00100010 [ ] Delete subfolders and files 0x00100040 [ ] Delete 0x00110000 [x] Read permissions 0x00120000 [ ] Change permissions 0x00140000 [ ] Take ownership 0x00180000 ... ------------------------------
That format example looks great. Are you able to code up a patch for that ?
Sorry, creating a patch would be quite difficult for me. Can it be assigned to someone else?