[PATCH] s3: introduce new share parameter "open special files"

Dewayne dewayne.geraghty at heuristicsystems.com.au
Wed Jun 5 19:51:38 MDT 2013

> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org 
> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of 
> Ralph Wuerthner
> Sent: Friday, 3 May 2013 9:16 PM
> To: samba-technical
> Subject: [PATCH] s3: introduce new share parameter "open 
> special files"
> Hi list,
> attached patch introduces a new share parameter "open special 
> files" to control whether special files such as sockets, 
> devices and fifo's will be opened by the server or not. If 
> set to "no" open requests to special files will fail with 
> "access denied". Default value for "open special files" is "no".
> Access to special files impose a security risk because it may 
> for example allow remote clients raw access to local hard 
> drives or kernel memory.
> Regards
> 	Ralph

To avoid an auditing issue, would it be possible to enable a compile switch that prevents both this and wide-links code from being
built into the compiled image?

I appreciate that "mount -o nodev" is a good solution, however we're moving the responsibility somewhat and a defence in depth
paradigm would encourage not relying on the sysadmin remembering that devices, serving samba fileshares, must be mounted with nodev.
(Staff changes, outsourcing and contract staff being a factor)

Unfortunately FreeBSD doesn't have nodev as a mount option. 

Regards, Dewayne.

More information about the samba-technical mailing list