widelinks && performance

Andrew Tridgell tridge at samba.org
Wed Apr 14 05:22:08 GMT 1999

The widelinks option is set by some sysadmins to prevent users
creating symlinks with the unix commandline which can get to locations
outside the share root. It is arguable whether this is really a useful
security option, but some sysadmins certainly think it is (which is
why we put it in a few years back). 

Samba currently implements this by cutting off the filename portion of
the filename and then doing a getwd/chdir/getwd to determine if any
part of the filename points outside the root. Because of some nasty
cases that are possible we end up doing 3 getwd and 3 chdir calls for
every filename reference.

In the recent Mindcraft survey the widelinks parameters was set to
off, which enabled this very exensive operation. That would have hurt
the performance results for Samba a lot.

I propose changing the widelinks code in one of two ways:

1) use the O_NOFOLLOW open() option (on OSes where it is available,
   such as Linux) when widelinks are disabled. If the open then fails
   with the errno given for following links we would do the expensive
   chdir/getwd stuff.

2) get rid of the widelinks option and instead have a per share
   "follow symlinks" boolean option. Would that be cleaner?

On OSes that don't have the O_NOFOLLOW option it will be hard to make
either option fast, unless someone else has a smart idea.

More information about the samba-technical mailing list