[Samba] Symlink outside the share path
Taylor, Jonn
jonnt at taylortelephone.com
Wed Aug 20 11:58:36 MDT 2014
"man smb.conf" for correct syntax
On 08/20/2014 12:27 PM, Kathy wrote:
> Hi John --
>
> It doesn't seem to like "wide links" or "wide symlinks".
>
> [2014/08/20 10:10:56, 0] param/loadparm.c:map_parameter(2794)
> Unknown parameter encountered: "wide symlinks"
>
> I have confirmed that on an old Samba server of mine on an old machine
> (Samba 3.0.5), I can do this just fine. But on any of the newer
> Redhat Linux distros I can't and none of these options are working.
> Has anyone running RHEL 5.X or 6.X gotten this to work to bypass the
> security on symlinks?
>
> Thanks --
>
> Kathy
>
>
> On Wed, Aug 20, 2014 at 9:54 AM, Taylor, Jonn
> <jonnt at taylortelephone.com <mailto:jonnt at taylortelephone.com>> wrote:
>
> Try this.
>
> follow symlinks = yes
> wide symlinks = yes
> unix extensions = no #if needed
>
>
> On 08/19/2014 09:39 PM, Kathy wrote:
> > Hi Achim --
> >
> > Boy, that sounds like what I need. Although I'm getting this
> when Samba
> > tries reloading smb.conf:
> >
> > [2014/08/19 19:31:30, 0] param/loadparm.c:map_parameter(2794)
> > Unknown parameter encountered: "allow insecure wide links"
> >
> > This is Samba Version 3.0.33-3.40.el5_10 through Redhat RPM.
> Makes me
> > think that isn't part of this distro.
> >
> > Kathy
> >
> >
> >
> >
> > On Tue, Aug 19, 2014 at 7:27 PM, Achim Gottinger
> <achim at ag-web.biz <mailto:achim at ag-web.biz>> wrote:
> >
> >> Am 20.08.2014 04:09, schrieb Kathy:
> >>
> >> Thanks for the reply, John. I already do have follow symlinks
> = yes set
> >>> in
> >>> my smb.conf file but it doesn't appear to be honoring it
> outside the
> >>> /datavol/asic filesystem.
> >>>
> >>> Kathy
> >>>
> >>>
> >>> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn
> <jonnt at taylortelephone.com <mailto:jonnt at taylortelephone.com>>
> >>> wrote:
> >>>
> >>> follow symlinks (S)
> >>>> This parameter allows the Samba administrator to
> stop smbd(8)
> >>>> from following symbolic links in a particular share. Setting this
> >>>> parameter to no
> >>>> prevents any file or directory that is a symbolic
> link from
> >>>> being followed (the user will get an error). This option is
> very useful
> >>>> to stop users
> >>>> from adding a symbolic link to /etc/passwd in
> their home
> >>>> directory for instance. However it will slow filename lookups
> down
> >>>> slightly.
> >>>>
> >>>> This option is enabled (i.e. smbd will follow
> symbolic
> >>>> links) by default.
> >>>>
> >>>> Default: follow symlinks = yes
> >>>>
> >>>> On 08/19/2014 07:18 PM, Kathy wrote:
> >>>>
> >>>>> Hello everyone --
> >>>>>
> >>>>> I am stumped on this issue, mostly because I'm not quite
> sure if it's
> >>>>> behaving correctly or not. I believe this used to work and
> right now
> >>>>> I'm
> >>>>> not quite sure why it's no longer doing so and how to fix it (if
> >>>>>
> >>>> possible).
> >>>>
> >>>>> I suspect it is because of my recent update of the OS and
> Samba
> >>>>> version.
> >>>>>
> >>>>> When users are trying to follow a symlink that goes to a
> different
> >>>>>
> >>>> mounted
> >>>>
> >>>>> filesystem on the same Samba server, they are getting:
> >>>>> * reduce_name: Bad access attempt: <path> is a symlink
> outside the
> >>>>> share
> >>>>> path*
> >>>>>
> >>>>>
> >>>>> I have a server that is both an NFS and a Samba server. It
> is running
> >>>>>
> >>>> RHEL
> >>>>
> >>>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently
> patched from
> >>>>> 5.2
> >>>>> to 5.10 and this also updated Samba to the current release.
> >>>>>
> >>>>> My smb.conf file has me exporting /datavol/asic.as
> <http://asic.as> \\myserver\asic.
> >>>>> This works just fine for all users on Windows for
> files/subdirs in that
> >>>>> /datavol/asic path.
> >>>>>
> >>>>> The problem comes when they try to get to files that are
> softlinked to
> >>>>> /globalscratch2 from /datavol/asic directories.
> >>>>>
> >>>>> I have tried this both with and without exporting
> /globalscratch2 via
> >>>>> Samba. Same results.
> >>>>>
> >>>>> Previously, I had not exported /globalscratch2.
> >>>>>
> >>>>> If someone had a simlink that was like this:
> >>>>>
> >>>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
> >>>>>
> >>>>> They would be able to get to it with this path no problem:
> >>>>> \\myserver\banshee\sim
> >>>>>
> >>>>> Any non-symbolic link subdirs are accessible just fine like this
> >>>>> \\myserver\banshee\localsubdir
> >>>>>
> >>>>> I have another scratch dir NFS mounted on myserver as
> /globalscratch. I
> >>>>>
> >>>> am
> >>>>
> >>>>> not exporting this via Samba from myserver because it
> doesn't own the
> >>>>> filesystem. I would understand the "symlink outside the
> share path"
> >>>>> with
> >>>>> an NFS mount on myserver, although from myserver's
> perspective it is a
> >>>>> local file system.
> >>>>>
> >>>>> I have always had the following in my smb.conf file:
> >>>>>
> >>>>> follow symlinks = yes
> >>>>>
> >>>>> I have tried adding:
> >>>>>
> >>>>> wide links = yes
> >>>>> AND
> >>>>> unix extensions = no
> >>>>>
> >>>>> to both the [global] section and to my share definition and
> nothing
> >>>>>
> >>>> works.
> >>>>
> >>>>> Is there a way to get this to work? IS it something that
> can work in
> >>>>>
> >>>> later
> >>>>
> >>>>> versions of Samba. I know it used to. Both my users and I
> remember it
> >>>>> working so I know I'm not completely crazy.
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Kathy
> >>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and
> read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>> Hello Kathy,
> >> You can try this parameter
> >>
> >> allow insecure wide links (G)
> >>
> >> In normal operation the option wide links which
> allows the
> >> server to follow symlinks outside of a share path is
> automatically disabled
> >> when unix
> >> extensions are enabled on a Samba server. This is
> done for
> >> security purposes to prevent UNIX clients creating symlinks to
> areas of the
> >> server file
> >> system that the administrator does not wish to export.
> >>
> >> Setting allow insecure wide links to true disables
> the link
> >> between these two parameters, removing this protection and
> allowing a site
> >> to configure the
> >> server to follow symlinks (by setting wide links to
> "true")
> >> even when unix extensions is turned on.
> >>
> >> If is not recommended to enable this option unless
> you fully
> >> understand the implications of allowing the server to follow
> symbolic links
> >> created by UNIX
> >> clients. For most normal Samba configurations this
> would be
> >> considered a security hole and setting this parameter is not
> recommended.
> >>
> >> This option was added at the request of sites who had
> >> deliberately set Samba up in this way and needed to continue
> supporting
> >> this functionality without
> >> having to patch the Samba code.
> >>
> >> Default: allow insecure wide links = no
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list