[Samba] Allow insecure wide links = yes, wide links =yes; but I still can't "see" files from links to NFS mounts using 3.6.15, after upgrading from 2.2.8a
Linda W
samba at tlinx.org
Wed Dec 11 20:58:26 MST 2013
On 12/11/2013 4:50 PM, Jordan Verschuer wrote:
> Hi David,
>
> however like I say, the files then become "hidden", and this is for
> both PC and Mac. I can see all the files and newly added/copied files
> from the samba server.
> ----
Have you tried explicitly exporting the NFS mounts as SMB shares?
Can you access the NFS files then? I.e. lets get the "wide links" out
of the
picture -- and verify that accessing those NFS files work from a regular
SMB share.
So far, I haven't seen anything that indicates re-sharing NFS mounts via
SMB works on your
newer system (I know it did in the older setup). Are the NFS mount
options the same?
Same version of NFS?
> On Wed, Dec 11, 2013 at 10:11 PM, David Keegel <djk at cyber.com.au
> <mailto:djk at cyber.com.au>> wrote:
>
> Michael, note the second paragraph quoted from man smb.conf :-
>
> � � � �allow insecure wide links (G)
>
> � � � � � �If is not recommended to enable this option unless you
> fully
> � � � � � �understand the implications of allowing the server to
> follow
> � � � � � �symbolic links created by UNIX clients. For most normal
> Samba
> � � � � � �configurations this would be considered a security hole
> and setting
> � � � � � �this parameter is not recommended.
>
> Jordan, please note the third paragraph. �I hope you trust all
> users who
> can use unix extensions and could access shares that have wide
> links = yes.
>
------
David, can you explain what protection disallowing wide links provides?
Specifically, if your users access their files via samba, and also have
their
home directories on the server where they are able to log in, then they can
create symlinks in any location they are permitted to by standard file
permissions.
If they are operating on the same file via unix extensions, and it disallows
them creating symlinks, how does that benefit anything? They can create
the symlinks when they are logged into their unix accounts. It seems
that disabling the creation of symlinks "remotely", gives some illusion of
security, but they wouldn't be able to create any symlinks unless they also
had permission to write in such a directory. If they had such a permission,
how does being able to create symlinks remotely give them some
security advantage over being able to create the same symlinks while
logged in to the file server?
More information about the samba
mailing list