[Samba] samba and symlinks

Mark Proehl m.proehl at science-computing.de
Mon Mar 22 11:31:19 GMT 2004 

Hello,

I am using samba in a heterogeneous UNIX/NT environment. Samba exports
file systems that contain many symlinks. My users want to access the
symlinked files from windows explorer, i.e. the symlinks need to be
followed by samba. For security reasons, symlinks pointing to
locations outside the share must not be followed.

According to the samba documentation I have to set these parameters in
smb.conf:

   follow symlinks = yes
   wide links = no

Accessing symlinks from windows explorer does not work on all kinds
of symlinks, because samba wrongly treats them as wide links.

Furthermore, it seems to be impossible to delete a directory with
windows explorer, if that directory is a symlink in the UNIX file
system. Samba tries to rmdir that symlink and fails.

I have created a test scenario, with a very simple smb.conf:

  [global]
     passdb backend = smbpasswd
     log level = 3
     log file = /var/samba/log.%m
     follow symlinks = yes
     wide links = no
  [test]
    path = /tmp/test
    readonly = no

The [test] share has the following contents:

  bash-2.05b$ ls -lR /tmp/test
  lrwxrwxrwx  1 mark mark 10 Mar 21 16:04 /tmp/test -> TEST/test/
  bash-2.05b$ ls -lR /tmp/TEST
  /tmp/TEST:
  drwxr-xr-x  4 mark mark 100 Mar 21 11:13 test
  
  /tmp/TEST/test:
  drwxr-xr-x  2 mark mark 40 Mar 21 11:13 directory
  -rw-r--r--  1 mark mark  0 Mar 21 11:13 file
  drwxr-xr-x  3 mark mark 60 Mar 21 11:13 subdir1
  
  /tmp/TEST/test/directory:
  
  /tmp/TEST/test/subdir1:
  drwxr-xr-x  2 mark mark 240 Mar 21 11:19 subdir2
  
  /tmp/TEST/test/subdir1/subdir2:
  lrwxrwxrwx  1 mark mark  5 Mar 21 16:04 badlinktoetc_1 -> /etc/
  lrwxrwxrwx  1 mark mark 40 Mar 21 16:04 badlinktoetc_2 -> ../../../../../../../../../../../../etc/
  lrwxrwxrwx  1 mark mark 11 Mar 21 16:04 badlinktopasswd_1 -> /etc/passwd
  lrwxrwxrwx  1 mark mark 46 Mar 21 16:04 badlinktopasswd_2 -> ../../../../../../../../../../../../etc/passwd
  lrwxrwxrwx  1 mark mark 16 Mar 21 16:04 goodlinktodirectory_1 -> ../../directory/
  lrwxrwxrwx  1 mark mark 20 Mar 21 16:04 goodlinktodirectory_2 -> /tmp/test/directory/
  lrwxrwxrwx  1 mark mark 25 Mar 21 16:04 goodlinktodirectory_3 -> /tmp/TEST/test/directory/
  lrwxrwxrwx  1 mark mark 10 Mar 21 16:04 goodlinktofile_1 -> ../../file
  lrwxrwxrwx  1 mark mark 14 Mar 21 16:04 goodlinktofile_2 -> /tmp/test/file
  lrwxrwxrwx  1 mark mark 19 Mar 21 16:04 goodlinktofile_3 -> /tmp/TEST/test/file
  
Note that the path /tmp/test itself is a symlink.
  
When I browse through that [test] share with windows explorer, I would
expect all bad* files to be denied, while all good* files should be
accessible.

Heres what really happens, when klicking to each file:

  badlinktoetc_1        denied
  badlinktoetc_2        denied
  badlinktopasswd_1     denied
  badlinktopasswd_2     denied
  goodlinktodirectory_1 denied
  goodlinktodirectory_2 denied
  goodlinktodirectory_3 allowed
  goodlinktofile_1      denied
  goodlinktofile_2      denied
  goodlinktofile_3      allowed

This was tested with samba-3.0.3pre1, the older versions behave
similiar (2.2.7, 2.2.8a, 3.0.2a).

I've made a small patch, which I think solves a part of the problem.
That patch is included here:
https://bugzilla.samba.org/show_bug.cgi?id=1188. After applying that
patch, symlinks to relative paths (like "goodlinktodirectory_1" in my
example) do work.

Mark Proehl

More information about the samba mailing list