Symlink restrictions

Nicolas Williams Nicolas.Williams at wdr.com
Tue Feb 9 16:26:15 GMT 1999 

Currently the only ways to restrict the usage of symlinks through
Samba-exported shares is via the following configuration parameters:

 - follow symlinks
 - wide links
 - root directory

Here's a feature to add to the wishlist (if there is one):

Controlling access to files by restricting devices (filesystems)
accessible from within a share.

The configuration parameters I envision might look like:

 - no xdev (S)
	Meaning: Allow clients to access files outside the filesystem
	         which contains the share's path.
	Default: yes

 - xdev allow (S)
	Meaning: List of paths whose containing filesystems can be
	         accessed from within a given share. If empty, then all
		 filesystems not listed in 'xdev deny' are accessible.
		 Otherwise only filesystems listed here are accessible
		 and only if they are not listed in 'xdev deny'.
	Default: ""

 - xdev deny (S)
	Meaning: List of paths whose containing filesystems cannot be
	         accessed from within a given share. If empty, then
		 access to all filesystems is allowed (unless
		 'xdev allow' is empty, in which case access is allowed
		 only to those filesystem named therein).
	Default: ""

I'd always set 'xdev deny' to include "/" and other system or
otherwise not exported directories.

Smbd would obtain the device IDs of the named filesystems once on
startup, and, perhaps expire those cache entries, from time to time.

The rationale for this is as follows:

1) Some users work as a group on projects or otherwise share files, not
   only through a single group share but possibly through many group and
   home shares. Allowing "wide" symlinks would make life easier for some
   of these users (particularly the ones that use Unix and can maintain
   symlinks on their own :)

2) The chroot option ('root directory') is too hard to use and leaves
   some system files exposed to wide symlinks anyways.

3) Other Unix utilities and applications use allow users to restrict
   their actions such that they do not cross filesystem boundaries, so
   there's some tradition here. I'm thinking,primarily, of find(1), of
   course.

Thanks for any consideration you give to any my wishlist suggestions,

Nico

More information about the samba-technical mailing list