Claimed Zero Day exploit in Samba.
Diego Julian Remolina
diego.remolina at physics.gatech.edu
Fri Feb 5 15:00:52 MST 2010
>
> so, i think the ideal solution is to allow "wide links", but to
> detect
> when a remote user is following a "wide link" into location that is
> not within a share that they have access to. is this possible?
Here is what the folks at the College of Computing in our campus are doing, I am sharing their reply after I forwarded the original e-mail mentioning the exploit to our campus computer mailing list:
----------------------------------
The CoC encountered this "feature" several months ago. Be advised that 'wide links = no' will cause symlinks that lead to automounted filesystems on other machines to fail, which may be undesirable.
As an example:
In my home directory, I have a symlink called "www" that points to a web directory I own:
www -> /net/webhomes/<username>
The webhomes directory gets automounted from a second server. Setting 'wide links = no' will cause this symlink to fail.
We use the 'dont descend' option, and specify those directories that are not necessary for users to access:
dont descend = /Desktop,/Documents,/boot,/dev,/devices,/etc,/export,/hosts,/kernel,/lib,/lost+found,/mnt,/nsr,/opt,/proc,/root,/sbin,/system,/usr,/var,/vol,/xfn
And on and on. While this is a bit more cumbersome, it achieves our goals while still providing users the access they require.
----------------------------------
Seems like a good security fix, which will still allow symbolic links outside of shares to work.
Diego
More information about the samba-technical
mailing list