[Samba] Symlink outside the share path

Kathy banshee135 at gmail.com
Tue Aug 19 20:39:43 MDT 2014


Hi Achim --

Boy, that sounds like what I need.  Although I'm getting this when Samba
tries reloading smb.conf:

[2014/08/19 19:31:30, 0] param/loadparm.c:map_parameter(2794)
  Unknown parameter encountered: "allow insecure wide links"

This is Samba Version 3.0.33-3.40.el5_10 through Redhat RPM.  Makes me
think that isn't part of this distro.

Kathy




On Tue, Aug 19, 2014 at 7:27 PM, Achim Gottinger <achim at ag-web.biz> wrote:

> Am 20.08.2014 04:09, schrieb Kathy:
>
>  Thanks for the reply, John.  I already do have follow symlinks = yes set
>> in
>> my smb.conf file but it doesn't appear to be honoring it outside the
>> /datavol/asic filesystem.
>>
>> Kathy
>>
>>
>> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn <jonnt at taylortelephone.com>
>> wrote:
>>
>>          follow symlinks (S)
>>>
>>>             This parameter allows the Samba administrator to stop smbd(8)
>>> from following symbolic links in a particular share. Setting this
>>> parameter to no
>>>             prevents any file or directory that is a symbolic link from
>>> being followed (the user will get an error). This option is very useful
>>> to stop users
>>>             from adding a symbolic link to /etc/passwd in their home
>>> directory for instance. However it will slow filename lookups down
>>> slightly.
>>>
>>>             This option is enabled (i.e.  smbd will follow symbolic
>>> links) by default.
>>>
>>>             Default: follow symlinks = yes
>>>
>>> On 08/19/2014 07:18 PM, Kathy wrote:
>>>
>>>> Hello everyone --
>>>>
>>>> I am stumped on this issue, mostly because I'm not quite sure if it's
>>>> behaving correctly or not.  I believe this used to work and right now
>>>> I'm
>>>> not quite sure why it's no longer doing so and how to fix it (if
>>>>
>>> possible).
>>>
>>>>   I suspect it is because of my recent update of the OS and Samba
>>>> version.
>>>>
>>>> When users are trying to follow a symlink that goes to a different
>>>>
>>> mounted
>>>
>>>> filesystem on the same Samba server, they are getting:
>>>> *  reduce_name: Bad access attempt: <path> is a symlink outside the
>>>> share
>>>> path*
>>>>
>>>>
>>>> I have a server that is both an NFS and a Samba server.  It is running
>>>>
>>> RHEL
>>>
>>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently patched from
>>>> 5.2
>>>> to 5.10 and this also updated Samba to the current release.
>>>>
>>>> My smb.conf file has me exporting /datavol/asic.as \\myserver\asic.
>>>> This works just fine for all users on Windows for files/subdirs in that
>>>> /datavol/asic path.
>>>>
>>>> The problem comes when they try to get to files that are softlinked to
>>>> /globalscratch2 from /datavol/asic directories.
>>>>
>>>> I have tried this both with and without exporting /globalscratch2 via
>>>> Samba.  Same results.
>>>>
>>>> Previously, I had not exported /globalscratch2.
>>>>
>>>> If someone had a simlink that was like this:
>>>>
>>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
>>>>
>>>> They would be able to get to it with this path no problem:
>>>> \\myserver\banshee\sim
>>>>
>>>> Any non-symbolic link subdirs are accessible just fine like this
>>>> \\myserver\banshee\localsubdir
>>>>
>>>> I have another scratch dir NFS mounted on myserver as /globalscratch.  I
>>>>
>>> am
>>>
>>>> not exporting this via Samba from myserver because it doesn't own the
>>>> filesystem.  I would understand the "symlink outside the share path"
>>>> with
>>>> an NFS mount on myserver, although from myserver's perspective it is a
>>>> local file system.
>>>>
>>>> I have always had the following in my smb.conf file:
>>>>
>>>> follow symlinks = yes
>>>>
>>>> I have tried adding:
>>>>
>>>> wide links = yes
>>>> AND
>>>> unix extensions = no
>>>>
>>>> to both the [global] section and to my share definition and nothing
>>>>
>>> works.
>>>
>>>> Is there a way to get this to work?  IS it something that can work in
>>>>
>>> later
>>>
>>>> versions of Samba.  I know it used to.  Both my users and I remember it
>>>> working so I know I'm not completely crazy.
>>>>
>>>> Thanks!
>>>>
>>>> Kathy
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>  Hello Kathy,
>
> You can try this parameter
>
>  allow insecure wide links (G)
>
>            In normal operation the option wide links which allows the
> server to follow symlinks outside of a share path is automatically disabled
> when unix
>            extensions are enabled on a Samba server. This is done for
> security purposes to prevent UNIX clients creating symlinks to areas of the
> server file
>            system that the administrator does not wish to export.
>
>            Setting allow insecure wide links to true disables the link
> between these two parameters, removing this protection and allowing a site
> to configure the
>            server to follow symlinks (by setting wide links to "true")
> even when unix extensions is turned on.
>
>            If is not recommended to enable this option unless you fully
> understand the implications of allowing the server to follow symbolic links
> created by UNIX
>            clients. For most normal Samba configurations this would be
> considered a security hole and setting this parameter is not recommended.
>
>            This option was added at the request of sites who had
> deliberately set Samba up in this way and needed to continue supporting
> this functionality without
>            having to patch the Samba code.
>
>            Default: allow insecure wide links = no
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list