2016-04-07 15:20:23 +08:00
|
|
|
.\" Copyright (c) 2007-2016 Jean-Pierre André.
|
2009-10-19 16:22:52 +08:00
|
|
|
.\" This file may be copied under the terms of the GNU Public License.
|
|
|
|
.\"
|
2016-04-07 15:20:23 +08:00
|
|
|
.TH NTFSSECAUDIT 8 "February 2010" "ntfssecaudit 1.5.0"
|
2009-10-19 16:22:52 +08:00
|
|
|
.SH NAME
|
2016-04-07 15:20:23 +08:00
|
|
|
ntfssecaudit \- NTFS Security Data Auditing
|
2009-10-19 16:22:52 +08:00
|
|
|
.SH SYNOPSIS
|
2016-04-07 15:20:23 +08:00
|
|
|
.B ntfssecaudit
|
2009-10-19 16:22:52 +08:00
|
|
|
\fB[\fIoptions\fP\fB]\fR
|
|
|
|
.I args
|
|
|
|
.PP
|
|
|
|
Where \fIoptions\fP is a combination of :
|
|
|
|
.RS
|
|
|
|
-a full auditing of security data (Linux only)
|
|
|
|
.RE
|
|
|
|
.RS
|
|
|
|
-b backup ACLs
|
|
|
|
.RE
|
|
|
|
.RS
|
|
|
|
-e setting extra backed-up parameters (in conjunction with -s)
|
|
|
|
.RE
|
|
|
|
.RS
|
|
|
|
-h displaying hexadecimal security descriptors saved in a file
|
|
|
|
.RE
|
|
|
|
.RS
|
|
|
|
-r recursing in a directory
|
|
|
|
.RE
|
|
|
|
.RS
|
|
|
|
-s setting backed-up ACLs
|
|
|
|
.RE
|
|
|
|
.RS
|
2013-02-09 18:06:39 +08:00
|
|
|
-u getting a user mapping proposal
|
|
|
|
.RE
|
|
|
|
.RS
|
2009-10-19 16:22:52 +08:00
|
|
|
-v verbose (very verbose if set twice)
|
|
|
|
.RE
|
|
|
|
.PP
|
|
|
|
and args define the parameters and the set of files acted upon.
|
|
|
|
.PP
|
|
|
|
Typing secaudit with no args will display a summary of available options.
|
|
|
|
.SH DESCRIPTION
|
2016-04-07 15:20:23 +08:00
|
|
|
\fBntfssecaudit\fR
|
2009-10-19 16:22:52 +08:00
|
|
|
displays the ownership and permissions of a set of files on an NTFS
|
|
|
|
file system, and checks their consistency. It can be started in terminal
|
|
|
|
mode only (no graphical user interface is available.)
|
|
|
|
.PP
|
|
|
|
When a \fIvolume\fR is required, it has to be unmounted, and the command
|
|
|
|
has to be issued as \fBroot\fP. The \fIvolume\fR can be either a block
|
|
|
|
device (i.e. a disk partition) or an image file.
|
|
|
|
.PP
|
|
|
|
When acting on a directory or volume, the command may produce a lot
|
|
|
|
of information. It is therefore advisable to redirect the output to
|
|
|
|
a file or pipe it to a text editor for examination.
|
|
|
|
.SH OPTIONS
|
|
|
|
Below are the valid combinations of options and arguments that
|
2016-04-07 15:20:23 +08:00
|
|
|
\fBntfssecaudit\fR accepts. All the indicated arguments are
|
2009-10-19 16:22:52 +08:00
|
|
|
mandatory and must be unique (if wildcards are used, they must
|
|
|
|
resolve to a single name.)
|
|
|
|
.TP
|
|
|
|
\fB-h\fP \fIfile\fP
|
|
|
|
Displays in an human readable form the hexadecimal security descriptors
|
|
|
|
saved in \fIfile\fP. This can be used to turn a verbose output into a very
|
|
|
|
verbose output.
|
|
|
|
.TP
|
|
|
|
\fB-a[rv]\fP \fIvolume\fP
|
|
|
|
Audits the volume : all the global security data on \fIvolume\fP are scanned
|
|
|
|
and errors are displayed. If option \fB-r\fP is present, all files and
|
|
|
|
directories are also scanned and their relations to global security data
|
|
|
|
are checked. This can produce a lot of data.
|
|
|
|
|
|
|
|
This option is not effective on volumes formatted for old NTFS versions (pre
|
|
|
|
NTFS 3.0). Such volumes have no global security data.
|
|
|
|
|
|
|
|
When errors are signalled, it is advisable to repair the volume with an
|
|
|
|
appropriate tool (such as \fBchkdsk\fP on Windows.)
|
|
|
|
.TP
|
|
|
|
\fB[-v]\fP \fIvolume\fP \fIfile\fP
|
|
|
|
Displays the security parameters of \fIfile\fP : its interpreted Linux mode
|
|
|
|
(rwx flags in octal) and Posix ACL[1], its security key if any, and its
|
|
|
|
security descriptor if verbose output.
|
|
|
|
.TP
|
|
|
|
\fB-r[v]\fP \fIvolume\fP \fIdirectory\fP
|
|
|
|
displays the security parameters of all files and subdirectories in
|
|
|
|
\fIdirectory\fP : their interpreted Linux mode (rwx flags in octal) and Posix
|
|
|
|
ACL[1], their security key if any, and their security descriptor if
|
|
|
|
verbose output.
|
|
|
|
.TP
|
|
|
|
.B -b[v] \fIvolume\fP \fI[directory]\fP
|
|
|
|
Recursively extracts to standard output the NTFS ACLs of files in \fIvolume\fP
|
|
|
|
and \fIdirectory\fP.
|
|
|
|
.TP
|
|
|
|
\fB-s[ev]\fP \fIvolume\fP \fI[backup-file]\fP
|
|
|
|
Sets the NTFS ACLS as indicated in \fIbackup-file\fP or standard input. The
|
|
|
|
input data must have been created on Linux. With option \fB-e\fP, also sets
|
|
|
|
extra parameters (currently Windows attrib).
|
|
|
|
.TP
|
|
|
|
\fIvolume\fP \fIperms\fP \fIfile\fP
|
|
|
|
Sets the security parameters of file to perms. Perms is the Linux
|
|
|
|
requested mode (rwx flags, expressed in octal form as in chmod) or
|
|
|
|
a Posix ACL[1] (expressed like in setfacl -m). This sets a new ACL
|
|
|
|
which is effective for Linux and Windows.
|
|
|
|
.TP
|
|
|
|
\fB-r[v]\fP \fIvolume\fP \fIperms\fP \fIdirectory\fP
|
|
|
|
Sets the security parameters of all files and subdirectories in
|
|
|
|
\fIdirectory\fP to \fIperms\fP. Perms is the Linux requested mode (rwx flags,
|
|
|
|
expressed in octal form as in \fBchmod\fP), or a Posix ACL[1] (expressed like
|
|
|
|
in \fBsetfacl -m\fP.) This sets new ACLs which are effective for Linux and
|
|
|
|
Windows.
|
|
|
|
.TP
|
|
|
|
\fB[-v]\fP \fImounted-file\fP
|
|
|
|
Displays the security parameters of \fImounted-file\fP : its interpreted
|
|
|
|
Linux mode (rwx flags in octal) and Posix ACL[1], its security key if any,
|
|
|
|
and its security descriptor if verbose output. This is a special case which
|
|
|
|
acts on a mounted file (or directory) and does not require being root. The
|
|
|
|
Posix ACL interpretation can only be displayed if the full path to
|
|
|
|
\fImounted-file\fP from the root of the global file tree is provided.
|
2013-02-09 18:06:39 +08:00
|
|
|
.TP
|
|
|
|
\fB-u[v]\fP \fImounted-file\fP
|
|
|
|
Displays a proposed contents for a user mapping file, based on the
|
|
|
|
ownership parameters set by Windows on \fImounted-file\fP, assuming
|
|
|
|
this file was created on Windows by the user who should be mapped to the
|
|
|
|
current Linux user. The displayed information has to be copied to the
|
|
|
|
file \fB.NTFS-3G/UserMapping\fP where \fB.NTFS-3G\fP is a hidden
|
|
|
|
subdirectory of the root of the partition for which the mapping is to
|
|
|
|
be defined. This will cause the ownership of files created on that
|
|
|
|
partition to be the same as the original \fImounted-file\fP.
|
2009-10-19 16:22:52 +08:00
|
|
|
.SH NOTE
|
|
|
|
[1] provided the POSIX ACL option was selected at compile time. A Posix ACL
|
|
|
|
specification looks like "\fB[d:]{ugmo}:[id]:[perms],...\fP" where id is a
|
|
|
|
numeric user or group id, and perms an octal digit or a set from the letters
|
|
|
|
r, w and x.
|
|
|
|
.RS
|
|
|
|
Example : "\fBu::7,g::5,o:0,u:510:rwx,g:500:5,d:u:510:7\fP"
|
|
|
|
.SH EXAMPLES
|
|
|
|
Audit the global security data on /dev/sda1
|
|
|
|
.RS
|
|
|
|
.sp
|
2016-04-07 15:20:23 +08:00
|
|
|
.B ntfssecaudit -ar /dev/sda1
|
2009-10-19 16:22:52 +08:00
|
|
|
.sp
|
|
|
|
.RE
|
|
|
|
Display the ownership and permissions parameters for files in directory
|
|
|
|
/audio/music on device /dev/sda5, excluding sub-directories :
|
|
|
|
.RS
|
|
|
|
.sp
|
2016-04-07 15:20:23 +08:00
|
|
|
.B ntfssecaudit /dev/sda5 /audio/music
|
2009-10-19 16:22:52 +08:00
|
|
|
.sp
|
|
|
|
.RE
|
|
|
|
Set all files in directory /audio/music on device /dev/sda5 as writeable
|
|
|
|
by owner and read-only for everybody :
|
|
|
|
.RS
|
|
|
|
.sp
|
2016-04-07 15:20:23 +08:00
|
|
|
.B ntfssecaudit -r /dev/sda5 644 /audio/music
|
2009-10-19 16:22:52 +08:00
|
|
|
.sp
|
|
|
|
.RE
|
|
|
|
.SH EXIT CODES
|
2016-04-07 15:20:23 +08:00
|
|
|
.B ntfssecaudit
|
2009-10-19 16:22:52 +08:00
|
|
|
exits with a value of 0 when no error was detected, and with a value
|
|
|
|
of 1 when an error was detected.
|
|
|
|
.SH KNOWN ISSUES
|
|
|
|
Please see
|
|
|
|
.RS
|
|
|
|
.sp
|
2009-11-14 03:36:22 +08:00
|
|
|
http://www.tuxera.com/community/ntfs-3g-faq/
|
2009-10-19 16:22:52 +08:00
|
|
|
.sp
|
|
|
|
.RE
|
|
|
|
for common questions and known issues.
|
|
|
|
If you would find a new one in the latest release of
|
|
|
|
the software then please send an email describing it
|
|
|
|
in detail. You can contact the
|
|
|
|
development team on the ntfs\-3g\-devel@lists.sf.net
|
|
|
|
address.
|
|
|
|
.SH AUTHORS
|
2016-04-07 15:20:23 +08:00
|
|
|
.B ntfssecaudit
|
2009-10-19 16:22:52 +08:00
|
|
|
has been developed by Jean-Pierre André.
|
|
|
|
.SH THANKS
|
|
|
|
Several people made heroic efforts, often over five or more
|
|
|
|
years which resulted the ntfs-3g driver. Most importantly they are
|
|
|
|
Anton Altaparmakov, Richard Russon, Szabolcs Szakacsits, Yura Pakhuchiy,
|
|
|
|
Yuval Fledel, and the author of the groundbreaking FUSE filesystem development
|
|
|
|
framework, Miklos Szeredi.
|
|
|
|
.SH SEE ALSO
|
|
|
|
.BR ntfsprogs (8),
|
|
|
|
.BR attr (5),
|
|
|
|
.BR getfattr (1)
|