Claimed Zero Day exploit in Samba.

Diego Julian Remolina diego.remolina at
Fri Feb 5 15:00:52 MST 2010

> so, i think the ideal solution is to allow "wide links", but to
> detect
> when a remote user is following a "wide link" into location that is
> not within a share that they have access to.  is this possible?

Here is what the folks at the College of Computing in our campus are doing, I am sharing their reply after I forwarded the original e-mail mentioning the exploit to our campus computer mailing list:

The CoC encountered this "feature" several months ago. Be advised that 'wide links = no' will cause symlinks that lead to automounted filesystems on other machines to fail, which may  be undesirable.

As an example:

In my home directory, I have a symlink called "www" that points to a web directory I own:

www -> /net/webhomes/<username>

The webhomes directory gets automounted from a second server. Setting 'wide links = no' will cause this symlink to fail.

We use the 'dont descend' option, and specify those directories that are not necessary for users to access:

dont descend = /Desktop,/Documents,/boot,/dev,/devices,/etc,/export,/hosts,/kernel,/lib,/lost+found,/mnt,/nsr,/opt,/proc,/root,/sbin,/system,/usr,/var,/vol,/xfn

And on and on. While this is a bit more cumbersome, it achieves our goals while still providing users the access they require.

Seems like a good security fix, which will still allow symbolic links outside of shares to work.


More information about the samba-technical mailing list