Nicolas.Williams at wdr.com
Tue Feb 9 16:26:15 GMT 1999
Currently the only ways to restrict the usage of symlinks through
Samba-exported shares is via the following configuration parameters:
- follow symlinks
- wide links
- root directory
Here's a feature to add to the wishlist (if there is one):
Controlling access to files by restricting devices (filesystems)
accessible from within a share.
The configuration parameters I envision might look like:
- no xdev (S)
Meaning: Allow clients to access files outside the filesystem
which contains the share's path.
- xdev allow (S)
Meaning: List of paths whose containing filesystems can be
accessed from within a given share. If empty, then all
filesystems not listed in 'xdev deny' are accessible.
Otherwise only filesystems listed here are accessible
and only if they are not listed in 'xdev deny'.
- xdev deny (S)
Meaning: List of paths whose containing filesystems cannot be
accessed from within a given share. If empty, then
access to all filesystems is allowed (unless
'xdev allow' is empty, in which case access is allowed
only to those filesystem named therein).
I'd always set 'xdev deny' to include "/" and other system or
otherwise not exported directories.
Smbd would obtain the device IDs of the named filesystems once on
startup, and, perhaps expire those cache entries, from time to time.
The rationale for this is as follows:
1) Some users work as a group on projects or otherwise share files, not
only through a single group share but possibly through many group and
home shares. Allowing "wide" symlinks would make life easier for some
of these users (particularly the ones that use Unix and can maintain
symlinks on their own :)
2) The chroot option ('root directory') is too hard to use and leaves
some system files exposed to wide symlinks anyways.
3) Other Unix utilities and applications use allow users to restrict
their actions such that they do not cross filesystem boundaries, so
there's some tradition here. I'm thinking,primarily, of find(1), of
Thanks for any consideration you give to any my wishlist suggestions,
More information about the samba-technical