[Samba] unix exts / wide links / symlinks
jra at samba.org
Wed Mar 3 12:31:02 MST 2010
On Wed, Mar 03, 2010 at 02:29:47PM -0500, Brother Railgun of Reason wrote:
> On Wed, Mar 03, 2010 at 11:25:03AM -0800, Jeremy Allison wrote:
> > On Wed, Mar 03, 2010 at 01:58:58PM -0500, Brother Railgun of Reason wrote:
> > > This can be interpreted either of two ways. Do you mean that you think
> > > users should not be able to *enable* following wide symlinks (which I
> > > understand to mean symbolic links whose target is located outside the
> > > share), or should not be able to *disable* it?
> > Users should not be able to enable following wide symlinks
> > if "unix extensions = yes" (which means that symlinks can
> > be dynamically created by clients).
> > That's the basis of the security problem.
> > If you want to allow both following wide symlinks
> > and arbitrary client creation of symlinks then
> > you need to change the code and recompile, as
> > the combination is inherently unsafe.
> Ahhh. That makes sense. I didn't know there was a capability for
> Windows clients to be able to create Unix symlinks on a Samba share.
Windows clients can't create them using the Windows redirector, but
anyone can download a clietn library (a port of smbclient to windows)
that would allow users to do this.
More information about the samba