Release notes
Disallow users or groups from bypassing directory traverse checking
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
If you do not want a user to traverse all the directories in the path to a file because the user does not have permissions on the traversed directory, you can remove the SeChangeNotifyPrivilege privilege from local SMB users or groups on storage virtual machines (SVMs).
The local or domain user or group from which privileges will be removed must already exist.
When removing privileges from a domain user or group, ONTAP might validate the domain user or group by contacting the domain controller. The command might fail if ONTAP cannot contact the domain controller.
-
Disallow bypass traverse checking:
vserver cifs users-and-groups privilege remove-privilege -vserver vserver_name -user-or-group-name name -privileges SeChangeNotifyPrivilegeThe command removes the
SeChangeNotifyPrivilegeprivilege from the local or domain user or group that you specify with the value for the-user-or-group-name nameparameter. -
Verify that the specified user or group has bypass traverse checking disabled:
vserver cifs users-and-groups privilege show -vserver vserver_name ‑user-or-group-name name
The following command disallows users that belong to the “EXAMPLE\eng” group from bypassing directory traverse checking:
cluster1::> vserver cifs users-and-groups privilege show -vserver vs1 Vserver User or Group Name Privileges --------- --------------------- ----------------------- vs1 EXAMPLE\eng SeChangeNotifyPrivilege cluster1::> vserver cifs users-and-groups privilege remove-privilege -vserver vs1 -user-or-group-name EXAMPLE\eng -privileges SeChangeNotifyPrivilege cluster1::> vserver cifs users-and-groups privilege show -vserver vs1 Vserver User or Group Name Privileges --------- --------------------- ----------------------- vs1 EXAMPLE\eng -
Allowing users or groups to bypass directory traverse checking