Table of ContentsView in Frames

Displaying information about file security on NTFS security-style FlexVol volumes

You can display information about file and directory security on NTFS security-style FlexVol volumes, including what the security style and effective security styles are, what permissions are applied, and information about DOS attributes. You can use the results to validate your security configuration or to troubleshoot file access issues.

About this task

You must supply the name of the Vserver that contains the data and the path to the data whose file or directory security information you want to display. If you want to customize the output, you can use the following optional parameters to display information only about file and directory security settings that match the specified parameters:
Optional parameter Description
-fields fieldsname,... You can use this parameter to display information on the fields you specify. You can use this parameter either alone or in combination with other optional parameters.
-instance Displays detailed information about all entries.
-volume-name volume_name Displays information where the specified path is relative to the specified volume. If this parameter is not specified, the Vserver root volume is taken as default.
-share-name share_name Displays information where the specified path is relative to the root of the specified share. If this parameter is not specified, the Vserver root volume is taken as default.
-lookup-names {true|false}
  • If set to true, the command displays information about file and directory security for files and directories where the information about owner and group are stored as names.
  • If set to false, the command displays information about file and directory security for files and directories where the information for owner and group are stored as SIDs.
-expand-mask {true|false}
  • If set to true, the command displays information about file and directory security for files and directories where the hexadecimal bit mask entries are store in expanded form.
  • If set to false, the command displays information about file and directory security for files and directories where the hexadecimal bit mask entries are store in collapsed form.
Note: By default, if the value of -expand-mask is set to false, the value displayed for the
Expanded Dos Attributes output field is "-". You must set the value of this option to true if you want to display the expanded DOS attributes.
-security-style {unix|ntfs|mixed|unified} Displays information for files and directories with paths in volumes of the specified security style. This command is not supported for Vservers with Infinite Volumes; therefore, the unified value is not valid for this release.

This is the associated security type of the volume or qtree.

-effective-style {unix|ntfs|mixed|unified} Displays information for files and directories with the specified effective security style on the path. This command is not supported for Vservers with Infinite Volumes; therefore, the unified value is not valid for this release.

This is the security scheme in effect for a given file or directory. A file or directory can have one of two security styles, either NTFS or UNIX. The effective security style is important with mixed security-style volumes and qtrees since a file or directory can have either NTFS-effective or UNIX-effective security (but not both).

-dos-attributes hex_integer Displays information only for files and directories with the specified DOS attributes.
-text-dos-attr text Displays information only for files and directories with the specified text DOS attributes.
-expanded-dos-attr text Displays information only for files and directories with the specified extended DOS attributes.
-user-id unix_user_ID Displays information only for files and directories with the specified UNIX user ID.
-group-id unix_group_ID Displays information only for files and directories with the specified UNIX group ID.
-mode-bits octal_permissions Displays information only for files and directories with the specified UNIX mode bits in Octal form.
-text-mode-bits text Displays information only for files and directories with the specified UNIX mode bits in text form.
-acls security_acls Displays information only for files and directories with the specified ACLs. You can enter the following information:
  • Type of ACL, which can be NTFS or NFSv4

    For NTFS security-style volumes and qtrees, the ACL type must be NTFS.

  • Control bits in the security descriptors
  • Owner, which applies only in the case of NTFS security descriptors
  • Group, which applies only in the case of NTFS security descriptors
  • Access Control Entries (ACEs), which includes both discretionary access control list (DACL) and system access control list (SACL) access control entries (ACEs) in the ACL
Note: UNIX-related output fields contain display-only UNIX file permission information. NTFS security-style volumes and qtrees use only NTFS file permissions and Windows users and groups when determining file access rights.

Step

  1. Display file and directory security settings:
    vserver security file-directory show -vserver vserver_name -path path optional_parameters

Examples

The following example displays the security information about the path /vol4 in Vserver vs1:

cluster::> vserver security file-directory show -vserver vs1 -path /vol4
                  
                                 Vserver: vs1
                               File Path: /vol4
                          Security Style: ntfs
                         Effective Style: ntfs
                          DOS Attributes: 10
                  DOS Attributes in Text: ----D---
                 Expanded Dos Attributes: -
                            Unix User Id: 0
                           Unix Group Id: 0
                          Unix Mode Bits: 777
                  Unix Mode Bits in Text: rwxrwxrwx
                                    ACLs: NTFS Security Descriptor
                                          Control:0x8004
                                          Owner:BUILTIN\Administrators
                                          Group:BUILTIN\Administrators
                                          DACL - ACEs
                                          ALLOW-Everyone-0x1f01ff
                                          ALLOW-Everyone-0x10000000-OI|CI|IO

The following example displays the security information with expanded masks about the path /data/engineering in Vserver vs1:

cluster::> vserver security file-directory show -vserver vs1 -path -path /data/engineering -expand-mask true

                Vserver: vs1
              File Path: /data/engineering
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
     ...0 .... .... .... = Offline
     .... ..0. .... .... = Sparse
     .... .... 0... .... = Normal
     .... .... ..0. .... = Archive
     .... .... ...1 .... = Directory
     .... .... .... .0.. = System
     .... .... .... ..0. = Hidden
     .... .... .... ...0 = Read Only
           Unix User Id: 0
          Unix Group Id: 0
         Unix Mode Bits: 777
 Unix Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004

                             1... .... .... .... = Self Relative
                             .0.. .... .... .... = RM Control Valid
                             ..0. .... .... .... = SACL Protected
                             ...0 .... .... .... = DACL Protected
                             .... 0... .... .... = SACL Inherited
                             .... .0.. .... .... = DACL Inherited
                             .... ..0. .... .... = SACL Inherit Required
                             .... ...0 .... .... = DACL Inherit Required
                             .... .... ..0. .... = SACL Defaulted
                             .... .... ...0 .... = SACL Present
                             .... .... .... 0... = DACL Defaulted
                             .... .... .... .1.. = DACL Present
                             .... .... .... ..0. = Group Defaulted
                             .... .... .... ...0 = Owner Defaulted

                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff
                             0... .... .... .... .... .... .... .... = Generic Read
                             .0.. .... .... .... .... .... .... .... = Generic Write
                             ..0. .... .... .... .... .... .... .... = Generic Execute
                             ...0 .... .... .... .... .... .... .... = Generic All
                             .... ...0 .... .... .... .... .... .... = System Security
                             .... .... ...1 .... .... .... .... .... = Synchronize
                             .... .... .... 1... .... .... .... .... = Write Owner
                             .... .... .... .1.. .... .... .... .... = Write DAC
                             .... .... .... ..1. .... .... .... .... = Read Control
                             .... .... .... ...1 .... .... .... .... = Delete
                             .... .... .... .... .... ...1 .... .... = Write Attributes
                             .... .... .... .... .... .... 1... .... = Read Attributes
                             .... .... .... .... .... .... .1.. .... = Delete Child
                             .... .... .... .... .... .... ..1. .... = Execute
                             .... .... .... .... .... .... ...1 .... = Write EA
                             .... .... .... .... .... .... .... 1... = Read EA
                             .... .... .... .... .... .... .... .1.. = Append
                             .... .... .... .... .... .... .... ..1. = Write
                             .... .... .... .... .... .... .... ...1 = Read

                           ALLOW-Everyone-0x10000000-OI|CI|IO
                             0... .... .... .... .... .... .... .... = Generic Read
                             .0.. .... .... .... .... .... .... .... = Generic Write
                             ..0. .... .... .... .... .... .... .... = Generic Execute
                             ...1 .... .... .... .... .... .... .... = Generic All
                             .... ...0 .... .... .... .... .... .... = System Security
                             .... .... ...0 .... .... .... .... .... = Synchronize
                             .... .... .... 0... .... .... .... .... = Write Owner
                             .... .... .... .0.. .... .... .... .... = Write DAC
                             .... .... .... ..0. .... .... .... .... = Read Control
                             .... .... .... ...0 .... .... .... .... = Delete
                             .... .... .... .... .... ...0 .... .... = Write Attributes
                             .... .... .... .... .... .... 0... .... = Read Attributes
                             .... .... .... .... .... .... .0.. .... = Delete Child
                             .... .... .... .... .... .... ..0. .... = Execute
                             .... .... .... .... .... .... ...0 .... = Write EA
                             .... .... .... .... .... .... .... 0... = Read EA
                             .... .... .... .... .... .... .... .0.. = Append
                             .... .... .... .... .... .... .... ..0. = Write
                             .... .... .... .... .... .... .... ...0 = Read