Disallow users or groups from bypassing directory traverse checking
Suggest changes
PDFs
If you do not want a user to traverse all the directories in the path to a file because the user does not have permissions on the traversed directory, you can remove the SeChangeNotifyPrivilege privilege from local SMB users or groups on storage virtual machines (SVMs).
The local or domain user or group from which privileges will be removed must already exist.
When removing privileges from a domain user or group, ONTAP might validate the domain user or group by contacting the domain controller. The command might fail if ONTAP cannot contact the domain controller.
-
Disallow bypass traverse checking:
vserver cifs users-and-groups privilege remove-privilege -vserver vserver_name -user-or-group-name name -privileges SeChangeNotifyPrivilegeThe command removes the
SeChangeNotifyPrivilegeprivilege from the local or domain user or group that you specify with the value for the-user-or-group-name nameparameter. -
Verify that the specified user or group has bypass traverse checking disabled:
vserver cifs users-and-groups privilege show -vserver vserver_name ‑user-or-group-name name
The following command disallows users that belong to the “EXAMPLE\eng” group from bypassing directory traverse checking:
cluster1::> vserver cifs users-and-groups privilege show -vserver vs1 Vserver User or Group Name Privileges --------- --------------------- ----------------------- vs1 EXAMPLE\eng SeChangeNotifyPrivilege cluster1::> vserver cifs users-and-groups privilege remove-privilege -vserver vs1 -user-or-group-name EXAMPLE\eng -privileges SeChangeNotifyPrivilege cluster1::> vserver cifs users-and-groups privilege show -vserver vs1 Vserver User or Group Name Privileges --------- --------------------- ----------------------- vs1 EXAMPLE\eng -
Allowing users or groups to bypass directory traverse checking