proposed partial patch against 3.5.7...

Linda Walsh samba at tlinx.org
Fri Jun 10 22:16:57 MDT 2011 


Assuming I can figure out the documentation and how to insert the 
documentation

(provided below)...(or, unless, providing thusly is sufficient), how does the 
following look with regards to being allowed into the base?  It re-enables the old
style "insecure wide links".... (that i've worked around w/a local copy, but
recently upgraded, to a new version, and had it bite me again, so thought I'd
try for a more formal 'fix'...(i.e. a patch) that gives sufficient warning as to
it's impact (I believe).


client managed wide links (G)

          This options can allow clients to  manage the 'wide links'
          created on a server.  It enables this by permitting 'unix
          extensions' and 'wide links' to be true at the same time in the
          same config.  Management is only enabled if 'unix extensions' is
          also true, and 'wide links' only function when enabled on a
          per-share basis.

          This creates similar security issues as allowing the same userid
          to have a local account on the server. (where they could then
          create/manage wide links).  As a local user, they can create
          symlinks in any directory they have access to that can point to
          any inode (file, dir, dev, etc...) on the server.

          If your users have local accounts on the server, this option
          should not cause any decrease in security, as links created
          through 'unix extensions' by a client are subject to normal file
          and share restrictions.  This does mean, though, if a user is in
          the 'Domain Admins' group on the server, they can likely manage
          links on any writable share.

          Default: client managed wide links = no

---
patch:

--- source3/param/loadparm.c.orig	2011-02-27 09:42:19.000000000 -0800
+++ source3/param/loadparm.c	2011-06-09 16:53:19.192163402 -0700
@@ -334,6 +334,7 @@
	bool bHostMSDfs;
	bool bUseMmap;
	bool bHostnameLookups;
+	bool bClientManagedWidelinks;
	bool bUnixExtensions;
	bool bDisableNetbios;
	char * szDedicatedKeytabFile;
@@ -939,6 +940,15 @@
		.flags		= FLAG_ADVANCED
	},
	{
+		.label		= "client managed wide links",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.bClientManagedWidelinks,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED
+	},
+	{
		.label		= "unix charset",
		.type		= P_STRING,
		.p_class	= P_GLOBAL,
@@ -5085,6 +5095,7 @@
#else
	Globals.bUseMmap = True;
#endif
+	Globals.bClientManagedWidelinks = False;
	Globals.bUnixExtensions = True;
	Globals.bResetOnZeroVC = False;
	Globals.bCreateKrb5Conf = true;
@@ -5535,6 +5546,7 @@
FN_GLOBAL_BOOL(lp_enhanced_browsing, &Globals.enhanced_browsing)
FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
+FN_GLOBAL_BOOL(lp_client_managed_widelinks, &Globals.bClientManagedWidelinks)
FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
@@ -9905,6 +9917,7 @@

void widelinks_warning(int snum)
{
+	if (lp_client_managed_widelinks()) return;
	if (lp_unix_extensions() && lp_widelinks_internal(snum)) {
		DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
			"These parameters are incompatible. "
@@ -9915,10 +9928,9 @@

bool lp_widelinks(int snum)
{
-	/* wide links is always incompatible with unix extensions */
-	if (lp_unix_extensions()) {
-		return false;
-	}

-	return lp_widelinks_internal(snum);
+	if (lp_client_managed_widelinks()
+		|| !lp_unix_extensions()) return lp_widelinks_internal(snum);
+
+	return false;
}

More information about the samba-technical mailing list