about wide links and unix extensions

Diego Remolina diego.remolina at physics.gatech.edu
Thu Feb 11 06:11:16 MST 2010

Is it too hard to come up with a consensus on what directories are 
common to all OS's, which should be protected, and simply block those by 
default with the option (shipped as the samba default to block these, 
unless you redefine the variable in smb.conf):

dont descend = 

And still leave "wide links = yes"  by default?


Volker Lendecke wrote:
> On Thu, Feb 11, 2010 at 12:45:08PM +0200, Adrian Buciuman wrote:
>> I suggest that a new option is added to samba, to allow both wide
>> links and unix extensions to coexist.  Otherwise, you may break
>> existing, working setups for which there is no security concern in
>> having them both on.
> We will end up with another "0-day exploit" report if we do
> that, and I don't know if I am happy asking for such a
> thing...
> I do see your point, we also have other options that make
> your setup completely insecure like "admin users = @users"
> or so, but for this one we have been bitten publically.
> That's a difficult choice to make unfortunately.
> Volker

More information about the samba-technical mailing list