Claimed Zero Day exploit in Samba.
simo
idra at samba.org
Fri Feb 5 14:18:59 MST 2010
On Fri, 2010-02-05 at 16:10 -0500, Michael Gilbert wrote:
> On Fri, 5 Feb 2010 12:46:06 -0800, Jeremy Allison wrote:
> > On Fri, Feb 05, 2010 at 03:48:37PM -0500, Michael Gilbert wrote:
> > >
> > > in your original description, you stated that "wide links = no" will
> > > generate an "access denied" error when a "wide link" is accessed;
> > > however, you didn't mention that creation of "wide links" is also
> > > prevented. if this is true, then that is a very satisfactory
> > > solution.
> >
> > No, it's actually incorrect. If "wide links = no", then no
> > one can ever access anything off share, and so UNIX symlinks
> > should be allowed to point to anywhere they like, as UNIX
> > clients will follow them locally, not on the server.
> >
> > > however, i think that the prevention code itself already
> > > solves the root of the issue, and enabling that by default would fully
> > > solve the problem.
> >
> > Nope - see above :-).
> >
> > > i can understand giving the local administrator this capability.
> > > however, i don't see the need for remote users to have such authority
> > > (although any enlightenment would be very much appreciated).
> >
> > Imagine an app running on a Linux client that needs a symlink
> > to /usr/local/lib inside it's filespace (don't know why, but
> > it might :-). If that app is run off a CIFSFS share creating
> > the /usr/local/lib symlink would fail with "wide links = no",
> > which is not what you want.
>
> that's a very good example. would it be wrong to dictate that local
> paths must be hardcoded, rather than symlinked
hardcoded to what ?
> (or manually symlinked by the samba server administrator)?
what would be advantage except making the life of a user harder when an
application that needs to create a symlink breaks ?
Remember that creating a symlink is not a problem, with wide links = no
it is not followed in any case.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list