[Samba] Symlink outside the share path

Taylor, Jonn jonnt at taylortelephone.com
Wed Aug 20 10:54:15 MDT 2014


Try this.

follow symlinks = yes
wide symlinks = yes
unix extensions = no #if needed


On 08/19/2014 09:39 PM, Kathy wrote:
> Hi Achim --
>
> Boy, that sounds like what I need.  Although I'm getting this when Samba
> tries reloading smb.conf:
>
> [2014/08/19 19:31:30, 0] param/loadparm.c:map_parameter(2794)
>   Unknown parameter encountered: "allow insecure wide links"
>
> This is Samba Version 3.0.33-3.40.el5_10 through Redhat RPM.  Makes me
> think that isn't part of this distro.
>
> Kathy
>
>
>
>
> On Tue, Aug 19, 2014 at 7:27 PM, Achim Gottinger <achim at ag-web.biz> wrote:
>
>> Am 20.08.2014 04:09, schrieb Kathy:
>>
>>  Thanks for the reply, John.  I already do have follow symlinks = yes set
>>> in
>>> my smb.conf file but it doesn't appear to be honoring it outside the
>>> /datavol/asic filesystem.
>>>
>>> Kathy
>>>
>>>
>>> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn <jonnt at taylortelephone.com>
>>> wrote:
>>>
>>>          follow symlinks (S)
>>>>             This parameter allows the Samba administrator to stop smbd(8)
>>>> from following symbolic links in a particular share. Setting this
>>>> parameter to no
>>>>             prevents any file or directory that is a symbolic link from
>>>> being followed (the user will get an error). This option is very useful
>>>> to stop users
>>>>             from adding a symbolic link to /etc/passwd in their home
>>>> directory for instance. However it will slow filename lookups down
>>>> slightly.
>>>>
>>>>             This option is enabled (i.e.  smbd will follow symbolic
>>>> links) by default.
>>>>
>>>>             Default: follow symlinks = yes
>>>>
>>>> On 08/19/2014 07:18 PM, Kathy wrote:
>>>>
>>>>> Hello everyone --
>>>>>
>>>>> I am stumped on this issue, mostly because I'm not quite sure if it's
>>>>> behaving correctly or not.  I believe this used to work and right now
>>>>> I'm
>>>>> not quite sure why it's no longer doing so and how to fix it (if
>>>>>
>>>> possible).
>>>>
>>>>>   I suspect it is because of my recent update of the OS and Samba
>>>>> version.
>>>>>
>>>>> When users are trying to follow a symlink that goes to a different
>>>>>
>>>> mounted
>>>>
>>>>> filesystem on the same Samba server, they are getting:
>>>>> *  reduce_name: Bad access attempt: <path> is a symlink outside the
>>>>> share
>>>>> path*
>>>>>
>>>>>
>>>>> I have a server that is both an NFS and a Samba server.  It is running
>>>>>
>>>> RHEL
>>>>
>>>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently patched from
>>>>> 5.2
>>>>> to 5.10 and this also updated Samba to the current release.
>>>>>
>>>>> My smb.conf file has me exporting /datavol/asic.as \\myserver\asic.
>>>>> This works just fine for all users on Windows for files/subdirs in that
>>>>> /datavol/asic path.
>>>>>
>>>>> The problem comes when they try to get to files that are softlinked to
>>>>> /globalscratch2 from /datavol/asic directories.
>>>>>
>>>>> I have tried this both with and without exporting /globalscratch2 via
>>>>> Samba.  Same results.
>>>>>
>>>>> Previously, I had not exported /globalscratch2.
>>>>>
>>>>> If someone had a simlink that was like this:
>>>>>
>>>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
>>>>>
>>>>> They would be able to get to it with this path no problem:
>>>>> \\myserver\banshee\sim
>>>>>
>>>>> Any non-symbolic link subdirs are accessible just fine like this
>>>>> \\myserver\banshee\localsubdir
>>>>>
>>>>> I have another scratch dir NFS mounted on myserver as /globalscratch.  I
>>>>>
>>>> am
>>>>
>>>>> not exporting this via Samba from myserver because it doesn't own the
>>>>> filesystem.  I would understand the "symlink outside the share path"
>>>>> with
>>>>> an NFS mount on myserver, although from myserver's perspective it is a
>>>>> local file system.
>>>>>
>>>>> I have always had the following in my smb.conf file:
>>>>>
>>>>> follow symlinks = yes
>>>>>
>>>>> I have tried adding:
>>>>>
>>>>> wide links = yes
>>>>> AND
>>>>> unix extensions = no
>>>>>
>>>>> to both the [global] section and to my share definition and nothing
>>>>>
>>>> works.
>>>>
>>>>> Is there a way to get this to work?  IS it something that can work in
>>>>>
>>>> later
>>>>
>>>>> versions of Samba.  I know it used to.  Both my users and I remember it
>>>>> working so I know I'm not completely crazy.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Kathy
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>  Hello Kathy,
>> You can try this parameter
>>
>>  allow insecure wide links (G)
>>
>>            In normal operation the option wide links which allows the
>> server to follow symlinks outside of a share path is automatically disabled
>> when unix
>>            extensions are enabled on a Samba server. This is done for
>> security purposes to prevent UNIX clients creating symlinks to areas of the
>> server file
>>            system that the administrator does not wish to export.
>>
>>            Setting allow insecure wide links to true disables the link
>> between these two parameters, removing this protection and allowing a site
>> to configure the
>>            server to follow symlinks (by setting wide links to "true")
>> even when unix extensions is turned on.
>>
>>            If is not recommended to enable this option unless you fully
>> understand the implications of allowing the server to follow symbolic links
>> created by UNIX
>>            clients. For most normal Samba configurations this would be
>> considered a security hole and setting this parameter is not recommended.
>>
>>            This option was added at the request of sites who had
>> deliberately set Samba up in this way and needed to continue supporting
>> this functionality without
>>            having to patch the Samba code.
>>
>>            Default: allow insecure wide links = no
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>



More information about the samba mailing list