[PATCH] s3: introduce new share parameter "open special files"
dewayne.geraghty at heuristicsystems.com.au
Wed Jun 5 19:51:38 MDT 2013
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org
> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of
> Ralph Wuerthner
> Sent: Friday, 3 May 2013 9:16 PM
> To: samba-technical
> Subject: [PATCH] s3: introduce new share parameter "open
> special files"
> Hi list,
> attached patch introduces a new share parameter "open special
> files" to control whether special files such as sockets,
> devices and fifo's will be opened by the server or not. If
> set to "no" open requests to special files will fail with
> "access denied". Default value for "open special files" is "no".
> Access to special files impose a security risk because it may
> for example allow remote clients raw access to local hard
> drives or kernel memory.
To avoid an auditing issue, would it be possible to enable a compile switch that prevents both this and wide-links code from being
built into the compiled image?
I appreciate that "mount -o nodev" is a good solution, however we're moving the responsibility somewhat and a defence in depth
paradigm would encourage not relying on the sysadmin remembering that devices, serving samba fileshares, must be mounted with nodev.
(Staff changes, outsourcing and contract staff being a factor)
Unfortunately FreeBSD doesn't have nodev as a mount option.
More information about the samba-technical