[Samba] unix exts / wide links / symlinks

Brother Railgun of Reason alaric at caerllewys.net
Wed Mar 3 12:29:47 MST 2010

On Wed, Mar 03, 2010 at 11:25:03AM -0800, Jeremy Allison wrote:
> On Wed, Mar 03, 2010 at 01:58:58PM -0500, Brother Railgun of Reason wrote:
> > This can be interpreted either of two ways.  Do you mean that you think 
> > users should not be able to *enable* following wide symlinks (which I 
> > understand to mean symbolic links whose target is located outside the 
> > share), or should not be able to *disable* it?
> Users should not be able to enable following wide symlinks
> if "unix extensions = yes" (which means that symlinks can
> be dynamically created by clients).
> That's the basis of the security problem.
> If you want to allow both following wide symlinks
> and arbitrary client creation of symlinks then
> you need to change the code and recompile, as
> the combination is inherently unsafe.

Ahhh.  That makes sense.  I didn't know there was a capability for 
Windows clients to be able to create Unix symlinks on a Samba share.

  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  alaric at caerllewys.net   alaric at metrocast.net   phil at co.ordinate.org
         Renaissance Man, Unix ronin, Perl hacker, Free Stater
                 It's not the years, it's the mileage.

More information about the samba mailing list