Skip to main content

Allow users or groups to bypass directory traverse checking

Contributors netapp-ahibbard netapp-thomi

If you want a user to be able traverse all the directories in the path to a file even if the user does not have permissions on a traversed directory, you can add the SeChangeNotifyPrivilege privilege to local SMB users or groups on storage virtual machines (SVMs). By default, users are able to bypass directory traverse checking.

Before you begin
  • A SMB server must be exist on the SVM.

  • The local users and groups SMB server option must be enabled.

  • The local or domain user or group to which the SeChangeNotifyPrivilege privilege will be added must already exist.

About this task

When adding privileges to a domain user or group, ONTAP might validate the domain user or group by contacting the domain controller. The command might fail if ONTAP cannot contact the domain controller.

Steps
  1. Enable bypass traverse checking by adding the SeChangeNotifyPrivilege privilege to a local or domain user or group: vserver cifs users-and-groups privilege add-privilege -vserver vserver_name -user-or-group-name name -privileges SeChangeNotifyPrivilege

    The value for the -user-or-group-name parameter is a local user or group, or a domain user or group.

  2. Verify that the specified user or group has bypass traverse checking enabled: vserver cifs users-and-groups privilege show -vserver vserver_name ‑user-or-group-name name

Example

The following command enables users that belong to the “EXAMPLE\eng” group to bypass directory traverse checking by adding the SeChangeNotifyPrivilege privilege to the group:

cluster1::> vserver cifs users-and-groups privilege add-privilege -vserver vs1 -user-or-group-name EXAMPLE\eng -privileges SeChangeNotifyPrivilege

cluster1::> vserver cifs users-and-groups privilege show -vserver vs1
Vserver   User or Group Name    Privileges
--------- --------------------- ---------------
vs1       EXAMPLE\eng           SeChangeNotifyPrivilege