unix exts / wide links / symlinks
in [Samba]
|
From: Jeremy Allison on 3 Mar 2010 13:50 On Wed, Mar 03, 2010 at 03:38:58PM +0100, Stefan Götz wrote: > Hi! > > How can I let recent smbd versions let unix clients access and resolve 'wide' > symlinks locally? My goal is that clients may use any kind of symlink (internal > and external to a mounted share) like on any other unix-style file system > without smbd interfering. > > My understanding is that since version 3.4.6, smbd effectively denies access of > clients to 'wide' symlinks, i.e. out of the share, when unix extensions are on. > That is at least the behavior I observe on my unix clients. However, the old > wide link behavior is desirable in my environment. > > Setting the 'wide links' option to yes and/or the 'follow symlinks' to no on the > server has no effect, neither globally nor on a per-share basis. Is there any > other way to tell smbd to not meddle with symlinks? Remove the check in lp_widelinks() (param/loadparm.c) and recompile. We got bitten badly enough by this that I don't think this should be a user settable parameter I'm afraid. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Brother Railgun of Reason on 3 Mar 2010 14:00 On Wed, Mar 03, 2010 at 10:49:40AM -0800, Jeremy Allison wrote: > On Wed, Mar 03, 2010 at 03:38:58PM +0100, Stefan G?tz wrote: > > Hi! > > > > How can I let recent smbd versions let unix clients access and resolve 'wide' > > symlinks locally? My goal is that clients may use any kind of symlink (internal > > and external to a mounted share) like on any other unix-style file system > > without smbd interfering. > > > > My understanding is that since version 3.4.6, smbd effectively denies access of > > clients to 'wide' symlinks, i.e. out of the share, when unix extensions are on. > > That is at least the behavior I observe on my unix clients. However, the old > > wide link behavior is desirable in my environment. > > > > Setting the 'wide links' option to yes and/or the 'follow symlinks' to no on the > > server has no effect, neither globally nor on a per-share basis. Is there any > > other way to tell smbd to not meddle with symlinks? > > Remove the check in lp_widelinks() (param/loadparm.c) and recompile. > > We got bitten badly enough by this that I don't think > this should be a user settable parameter I'm afraid. This can be interpreted either of two ways. Do you mean that you think users should not be able to *enable* following wide symlinks (which I understand to mean symbolic links whose target is located outside the share), or should not be able to *disable* it? I'm not sure I can agree with either position. -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 alaric(a)caerllewys.net alaric(a)metrocast.net phil(a)co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jeremy Allison on 3 Mar 2010 14:30 On Wed, Mar 03, 2010 at 01:58:58PM -0500, Brother Railgun of Reason wrote: > This can be interpreted either of two ways. Do you mean that you think > users should not be able to *enable* following wide symlinks (which I > understand to mean symbolic links whose target is located outside the > share), or should not be able to *disable* it? Users should not be able to enable following wide symlinks if "unix extensions = yes" (which means that symlinks can be dynamically created by clients). That's the basis of the security problem. If you want to allow both following wide symlinks and arbitrary client creation of symlinks then you need to change the code and recompile, as the combination is inherently unsafe. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jeremy Allison on 3 Mar 2010 14:40 On Wed, Mar 03, 2010 at 02:29:47PM -0500, Brother Railgun of Reason wrote: > On Wed, Mar 03, 2010 at 11:25:03AM -0800, Jeremy Allison wrote: > > On Wed, Mar 03, 2010 at 01:58:58PM -0500, Brother Railgun of Reason wrote: > > > > > This can be interpreted either of two ways. Do you mean that you think > > > users should not be able to *enable* following wide symlinks (which I > > > understand to mean symbolic links whose target is located outside the > > > share), or should not be able to *disable* it? > > > > Users should not be able to enable following wide symlinks > > if "unix extensions = yes" (which means that symlinks can > > be dynamically created by clients). > > > > That's the basis of the security problem. > > > > If you want to allow both following wide symlinks > > and arbitrary client creation of symlinks then > > you need to change the code and recompile, as > > the combination is inherently unsafe. > > > Ahhh. That makes sense. I didn't know there was a capability for > Windows clients to be able to create Unix symlinks on a Samba share. Windows clients can't create them using the Windows redirector, but anyone can download a clietn library (a port of smbclient to windows) that would allow users to do this. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Brother Railgun of Reason on 3 Mar 2010 14:40 On Wed, Mar 03, 2010 at 11:25:03AM -0800, Jeremy Allison wrote: > On Wed, Mar 03, 2010 at 01:58:58PM -0500, Brother Railgun of Reason wrote: > > > This can be interpreted either of two ways. Do you mean that you think > > users should not be able to *enable* following wide symlinks (which I > > understand to mean symbolic links whose target is located outside the > > share), or should not be able to *disable* it? > > Users should not be able to enable following wide symlinks > if "unix extensions = yes" (which means that symlinks can > be dynamically created by clients). > > That's the basis of the security problem. > > If you want to allow both following wide symlinks > and arbitrary client creation of symlinks then > you need to change the code and recompile, as > the combination is inherently unsafe. Ahhh. That makes sense. I didn't know there was a capability for Windows clients to be able to create Unix symlinks on a Samba share. -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 alaric(a)caerllewys.net alaric(a)metrocast.net phil(a)co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] NTLM_AUTH windows 2008 server failure Next: question on authentication |