[Samba] Symlink outside the share path

Tue Aug 19 20:27:22 MDT 2014

Am 20.08.2014 04:09, schrieb Kathy:
> Thanks for the reply, John.  I already do have follow symlinks = yes set in
> my smb.conf file but it doesn't appear to be honoring it outside the
> /datavol/asic filesystem.
>
> Kathy
>
>
> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn <jonnt at taylortelephone.com>
> wrote:
>
>>         follow symlinks (S)
>>
>>             This parameter allows the Samba administrator to stop smbd(8)
>> from following symbolic links in a particular share. Setting this
>> parameter to no
>>             prevents any file or directory that is a symbolic link from
>> being followed (the user will get an error). This option is very useful
>> to stop users
>>             from adding a symbolic link to /etc/passwd in their home
>> directory for instance. However it will slow filename lookups down
>> slightly.
>>
>>             This option is enabled (i.e.  smbd will follow symbolic
>> links) by default.
>>
>>             Default: follow symlinks = yes
>>
>> On 08/19/2014 07:18 PM, Kathy wrote:
>>> Hello everyone --
>>>
>>> I am stumped on this issue, mostly because I'm not quite sure if it's
>>> behaving correctly or not.  I believe this used to work and right now I'm
>>> not quite sure why it's no longer doing so and how to fix it (if
>> possible).
>>>   I suspect it is because of my recent update of the OS and Samba version.
>>>
>>> When users are trying to follow a symlink that goes to a different
>> mounted
>>> filesystem on the same Samba server, they are getting:
>>> *  reduce_name: Bad access attempt: <path> is a symlink outside the share
>>> path*
>>>
>>>
>>> I have a server that is both an NFS and a Samba server.  It is running
>> RHEL
>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently patched from 5.2
>>> to 5.10 and this also updated Samba to the current release.
>>>
>>> My smb.conf file has me exporting /datavol/asic.as \\myserver\asic.
>>> This works just fine for all users on Windows for files/subdirs in that
>>> /datavol/asic path.
>>>
>>> The problem comes when they try to get to files that are softlinked to
>>> /globalscratch2 from /datavol/asic directories.
>>>
>>> I have tried this both with and without exporting /globalscratch2 via
>>> Samba.  Same results.
>>>
>>> Previously, I had not exported /globalscratch2.
>>>
>>> If someone had a simlink that was like this:
>>>
>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
>>>
>>> They would be able to get to it with this path no problem:
>>> \\myserver\banshee\sim
>>>
>>> Any non-symbolic link subdirs are accessible just fine like this
>>> \\myserver\banshee\localsubdir
>>>
>>> I have another scratch dir NFS mounted on myserver as /globalscratch.  I
>> am
>>> not exporting this via Samba from myserver because it doesn't own the
>>> filesystem.  I would understand the "symlink outside the share path" with
>>> an NFS mount on myserver, although from myserver's perspective it is a
>>> local file system.
>>>
>>> I have always had the following in my smb.conf file:
>>>
>>> follow symlinks = yes
>>>
>>> I have tried adding:
>>>
>>> wide links = yes
>>> AND
>>> unix extensions = no
>>>
>>> to both the [global] section and to my share definition and nothing
>> works.
>>> Is there a way to get this to work?  IS it something that can work in
>> later
>>> versions of Samba.  I know it used to.  Both my users and I remember it
>>> working so I know I'm not completely crazy.
>>>
>>> Thanks!
>>>
>>> Kathy
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Hello Kathy,

You can try this parameter

  allow insecure wide links (G)

            In normal operation the option wide links which allows the 
server to follow symlinks outside of a share path is automatically 
disabled when unix
            extensions are enabled on a Samba server. This is done for 
security purposes to prevent UNIX clients creating symlinks to areas of 
the server file
            system that the administrator does not wish to export.

            Setting allow insecure wide links to true disables the link 
between these two parameters, removing this protection and allowing a 
site to configure the
            server to follow symlinks (by setting wide links to "true") 
even when unix extensions is turned on.

            If is not recommended to enable this option unless you fully 
understand the implications of allowing the server to follow symbolic 
links created by UNIX
            clients. For most normal Samba configurations this would be 
considered a security hole and setting this parameter is not recommended.

            This option was added at the request of sites who had 
deliberately set Samba up in this way and needed to continue supporting 
this functionality without
            having to patch the Samba code.

            Default: allow insecure wide links = no