about wide links and unix extensions
Diego Remolina
diego.remolina at physics.gatech.edu
Thu Feb 11 06:11:16 MST 2010
Is it too hard to come up with a consensus on what directories are
common to all OS's, which should be protected, and simply block those by
default with the option (shipped as the samba default to block these,
unless you redefine the variable in smb.conf):
dont descend =
/boot,/dev,/devices,/etc,/hosts,/kernel,/lib,/lost+found,/mnt,/opt,/proc,/root,/sbin,/system,/usr,/var,/vol,/xfn
And still leave "wide links = yes" by default?
Diego
Volker Lendecke wrote:
> On Thu, Feb 11, 2010 at 12:45:08PM +0200, Adrian Buciuman wrote:
>> I suggest that a new option is added to samba, to allow both wide
>> links and unix extensions to coexist. Otherwise, you may break
>> existing, working setups for which there is no security concern in
>> having them both on.
>
> We will end up with another "0-day exploit" report if we do
> that, and I don't know if I am happy asking for such a
> thing...
>
> I do see your point, we also have other options that make
> your setup completely insecure like "admin users = @users"
> or so, but for this one we have been bitten publically.
> That's a difficult choice to make unfortunately.
>
> Volker
More information about the samba-technical
mailing list