[Samba] Symlink outside the share path
Achim Gottinger
achim at ag-web.biz
Tue Aug 19 20:27:22 MDT 2014
Am 20.08.2014 04:09, schrieb Kathy:
> Thanks for the reply, John. I already do have follow symlinks = yes set in
> my smb.conf file but it doesn't appear to be honoring it outside the
> /datavol/asic filesystem.
>
> Kathy
>
>
> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn <jonnt at taylortelephone.com>
> wrote:
>
>> follow symlinks (S)
>>
>> This parameter allows the Samba administrator to stop smbd(8)
>> from following symbolic links in a particular share. Setting this
>> parameter to no
>> prevents any file or directory that is a symbolic link from
>> being followed (the user will get an error). This option is very useful
>> to stop users
>> from adding a symbolic link to /etc/passwd in their home
>> directory for instance. However it will slow filename lookups down
>> slightly.
>>
>> This option is enabled (i.e. smbd will follow symbolic
>> links) by default.
>>
>> Default: follow symlinks = yes
>>
>> On 08/19/2014 07:18 PM, Kathy wrote:
>>> Hello everyone --
>>>
>>> I am stumped on this issue, mostly because I'm not quite sure if it's
>>> behaving correctly or not. I believe this used to work and right now I'm
>>> not quite sure why it's no longer doing so and how to fix it (if
>> possible).
>>> I suspect it is because of my recent update of the OS and Samba version.
>>>
>>> When users are trying to follow a symlink that goes to a different
>> mounted
>>> filesystem on the same Samba server, they are getting:
>>> * reduce_name: Bad access attempt: <path> is a symlink outside the share
>>> path*
>>>
>>>
>>> I have a server that is both an NFS and a Samba server. It is running
>> RHEL
>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently patched from 5.2
>>> to 5.10 and this also updated Samba to the current release.
>>>
>>> My smb.conf file has me exporting /datavol/asic.as \\myserver\asic.
>>> This works just fine for all users on Windows for files/subdirs in that
>>> /datavol/asic path.
>>>
>>> The problem comes when they try to get to files that are softlinked to
>>> /globalscratch2 from /datavol/asic directories.
>>>
>>> I have tried this both with and without exporting /globalscratch2 via
>>> Samba. Same results.
>>>
>>> Previously, I had not exported /globalscratch2.
>>>
>>> If someone had a simlink that was like this:
>>>
>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
>>>
>>> They would be able to get to it with this path no problem:
>>> \\myserver\banshee\sim
>>>
>>> Any non-symbolic link subdirs are accessible just fine like this
>>> \\myserver\banshee\localsubdir
>>>
>>> I have another scratch dir NFS mounted on myserver as /globalscratch. I
>> am
>>> not exporting this via Samba from myserver because it doesn't own the
>>> filesystem. I would understand the "symlink outside the share path" with
>>> an NFS mount on myserver, although from myserver's perspective it is a
>>> local file system.
>>>
>>> I have always had the following in my smb.conf file:
>>>
>>> follow symlinks = yes
>>>
>>> I have tried adding:
>>>
>>> wide links = yes
>>> AND
>>> unix extensions = no
>>>
>>> to both the [global] section and to my share definition and nothing
>> works.
>>> Is there a way to get this to work? IS it something that can work in
>> later
>>> versions of Samba. I know it used to. Both my users and I remember it
>>> working so I know I'm not completely crazy.
>>>
>>> Thanks!
>>>
>>> Kathy
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Hello Kathy,
You can try this parameter
allow insecure wide links (G)
In normal operation the option wide links which allows the
server to follow symlinks outside of a share path is automatically
disabled when unix
extensions are enabled on a Samba server. This is done for
security purposes to prevent UNIX clients creating symlinks to areas of
the server file
system that the administrator does not wish to export.
Setting allow insecure wide links to true disables the link
between these two parameters, removing this protection and allowing a
site to configure the
server to follow symlinks (by setting wide links to "true")
even when unix extensions is turned on.
If is not recommended to enable this option unless you fully
understand the implications of allowing the server to follow symbolic
links created by UNIX
clients. For most normal Samba configurations this would be
considered a security hole and setting this parameter is not recommended.
This option was added at the request of sites who had
deliberately set Samba up in this way and needed to continue supporting
this functionality without
having to patch the Samba code.
Default: allow insecure wide links = no
More information about the samba
mailing list