Disabling of "wide links" violates "principle of least surprise"

Alain Knaff (Samba Lists) alain.knaff.samba at misc.lka.org.lu
Tue May 11 14:23:11 MDT 2010 

On 10/05/10 19:22, Jeremy Allison wrote:
> On Mon, May 10, 2010 at 07:08:10PM +0200, Alain Knaff (Samba Lists) wrote:
>> On 09/05/10 19:13, Jeremy Allison wrote:
>>> On Sat, May 08, 2010 at 02:10:23PM +0200, Volker Lendecke wrote:
>>>>
>>>> Just to make sure I understand you right: You want Samba to
>>>> report and follow existing wide links but not allow setting
>>>> them at all from the client if wide links are enabled? This
>>>> might indeed be a compromise. Jeremy should comment here.
>>>
>>> Actually we already considered and rejected this option
>>> when we were discussing what to do.
>>
>> Could you post an URL to this discussion, so that I can view the reasons
>> brought forth?
> 
> You'll have to search on samba-technical, I don't have the
> url handy.

Maybe I'm missing something, but all I found was your discussion with
Michael Gilbert. Basically, it was just you in favor of the current
"solution", and Michael Gilbert (Cc'ed) in favor of mine (actually, a
more refined version, which would block only the creation of the
troublesome symlinks, rather than of all symlinks).

Hardly an overwhelming support of the current behavior.


Well, thinking a bit about the problem, maybe there can be another
compromise solution: only honor wide symlinks if the link itself
belongs to root. That way, users can't make their own to subvert
confinement into their share, but the administrator can make links if he
feels they are safe.


But then, at the point where we are now, most affected people have
probably already applied the workaround (setting "unix extensions =
no"). So finding a nice solution to this particular problem does indeed
become less and less important.

However, what stays important is to draw a lesson for the future: if
ever another similar clash between 2 other options will be discovered,
it would be nice if some care could be taken at that time to minimize
the impact on existing configs in Samba's main use case (serving shares
to windows clients).

But maybe I'm just jaded after the serial breakage occurring with the
Ubuntu 9.04 samba "updates", which made samba more or less useless as a
primary domain controller...


>> But this could happen anyways. One example is the read-only share case,
>> another one is a directory to which the user has no (Unix) write rights.
> 
> Yes, but in this case there are no surprises. In the read-only case,
> all writes/creates fail. In the no-write rights case a simple ls -l
> will show this. The user has a way to see and understand what is going
> on. Arbitrarily disabling symlink creation is utterly mistifying for
> the user. Something just "doesn't work", with no way to understand
> why.

Well, at first the disappearing "wide links" was quite mystifying as
well. Especially in our case, as the first visible manifestation of this
was that suddenly our windows clients were ignoring startup scripts...

> 
>> Sorry to be so blunt, but I still get the impression that all this is
>> more about ego than about "To serve our users best".
> 
> What ego ? Whose ego would be served by this ? That makes

I don't know. To me it looks like you're awfully defensive about this
issue (not only here on the list, but also on the bug tracker), and
nobody else on this list seems to be. I don't know why, but that's the
impression I'm getting. Sorry if I was getting the wrong impression here...

> no sense, sorry. It was the best decision we could make
> to ensure default users are secure. Sorry you don't agree
> but you didn't turn up when the original problem occurred,

Do you know how many packages are in a typical Linux distro? Are you
really expecting people to monitor the boards and forums attached to all
these packages, just in case a "bad" decision is made? With that kind of
workload, nobody would have the time to use Linux...

> and most comments from people who did were in favour of
> the solution we decided.
> 
> If you want this changed, you'll have to get a majority
> of people to agree with you,

Well, now we're 2 (Michael and me) versus one (you), with most others
(apparently) not caring strongly either way. Unless I missed some
threads, but that's why I was asking for a pointer.

> including the security teams
> of the major distributions, who reviewed our decision before
> we made it.

Oddly enough, the distributions are blaming "upstream", i.e. you (the
samba developers)... As an outsider, it's sometimes hard to figure out
who is right in this game of ping pong...

> Do you normally find that insulting people works
> to get what you want ?

??? what is this doing in here?

> 
> Jeremy.

Regards,

Alain

More information about the samba-technical mailing list