[Samba] Symlink outside the share path
Kathy
banshee135 at gmail.com
Wed Aug 20 11:27:29 MDT 2014
Hi John --
It doesn't seem to like "wide links" or "wide symlinks".
[2014/08/20 10:10:56, 0] param/loadparm.c:map_parameter(2794)
Unknown parameter encountered: "wide symlinks"
I have confirmed that on an old Samba server of mine on an old machine
(Samba 3.0.5), I can do this just fine. But on any of the newer Redhat
Linux distros I can't and none of these options are working. Has anyone
running RHEL 5.X or 6.X gotten this to work to bypass the security on
symlinks?
Thanks --
Kathy
On Wed, Aug 20, 2014 at 9:54 AM, Taylor, Jonn <jonnt at taylortelephone.com>
wrote:
> Try this.
>
> follow symlinks = yes
> wide symlinks = yes
> unix extensions = no #if needed
>
>
> On 08/19/2014 09:39 PM, Kathy wrote:
> > Hi Achim --
> >
> > Boy, that sounds like what I need. Although I'm getting this when Samba
> > tries reloading smb.conf:
> >
> > [2014/08/19 19:31:30, 0] param/loadparm.c:map_parameter(2794)
> > Unknown parameter encountered: "allow insecure wide links"
> >
> > This is Samba Version 3.0.33-3.40.el5_10 through Redhat RPM. Makes me
> > think that isn't part of this distro.
> >
> > Kathy
> >
> >
> >
> >
> > On Tue, Aug 19, 2014 at 7:27 PM, Achim Gottinger <achim at ag-web.biz>
> wrote:
> >
> >> Am 20.08.2014 04:09, schrieb Kathy:
> >>
> >> Thanks for the reply, John. I already do have follow symlinks = yes
> set
> >>> in
> >>> my smb.conf file but it doesn't appear to be honoring it outside the
> >>> /datavol/asic filesystem.
> >>>
> >>> Kathy
> >>>
> >>>
> >>> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn <
> jonnt at taylortelephone.com>
> >>> wrote:
> >>>
> >>> follow symlinks (S)
> >>>> This parameter allows the Samba administrator to stop
> smbd(8)
> >>>> from following symbolic links in a particular share. Setting this
> >>>> parameter to no
> >>>> prevents any file or directory that is a symbolic link
> from
> >>>> being followed (the user will get an error). This option is very
> useful
> >>>> to stop users
> >>>> from adding a symbolic link to /etc/passwd in their home
> >>>> directory for instance. However it will slow filename lookups down
> >>>> slightly.
> >>>>
> >>>> This option is enabled (i.e. smbd will follow symbolic
> >>>> links) by default.
> >>>>
> >>>> Default: follow symlinks = yes
> >>>>
> >>>> On 08/19/2014 07:18 PM, Kathy wrote:
> >>>>
> >>>>> Hello everyone --
> >>>>>
> >>>>> I am stumped on this issue, mostly because I'm not quite sure if it's
> >>>>> behaving correctly or not. I believe this used to work and right now
> >>>>> I'm
> >>>>> not quite sure why it's no longer doing so and how to fix it (if
> >>>>>
> >>>> possible).
> >>>>
> >>>>> I suspect it is because of my recent update of the OS and Samba
> >>>>> version.
> >>>>>
> >>>>> When users are trying to follow a symlink that goes to a different
> >>>>>
> >>>> mounted
> >>>>
> >>>>> filesystem on the same Samba server, they are getting:
> >>>>> * reduce_name: Bad access attempt: <path> is a symlink outside the
> >>>>> share
> >>>>> path*
> >>>>>
> >>>>>
> >>>>> I have a server that is both an NFS and a Samba server. It is
> running
> >>>>>
> >>>> RHEL
> >>>>
> >>>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently patched from
> >>>>> 5.2
> >>>>> to 5.10 and this also updated Samba to the current release.
> >>>>>
> >>>>> My smb.conf file has me exporting /datavol/asic.as \\myserver\asic.
> >>>>> This works just fine for all users on Windows for files/subdirs in
> that
> >>>>> /datavol/asic path.
> >>>>>
> >>>>> The problem comes when they try to get to files that are softlinked
> to
> >>>>> /globalscratch2 from /datavol/asic directories.
> >>>>>
> >>>>> I have tried this both with and without exporting /globalscratch2 via
> >>>>> Samba. Same results.
> >>>>>
> >>>>> Previously, I had not exported /globalscratch2.
> >>>>>
> >>>>> If someone had a simlink that was like this:
> >>>>>
> >>>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
> >>>>>
> >>>>> They would be able to get to it with this path no problem:
> >>>>> \\myserver\banshee\sim
> >>>>>
> >>>>> Any non-symbolic link subdirs are accessible just fine like this
> >>>>> \\myserver\banshee\localsubdir
> >>>>>
> >>>>> I have another scratch dir NFS mounted on myserver as
> /globalscratch. I
> >>>>>
> >>>> am
> >>>>
> >>>>> not exporting this via Samba from myserver because it doesn't own the
> >>>>> filesystem. I would understand the "symlink outside the share path"
> >>>>> with
> >>>>> an NFS mount on myserver, although from myserver's perspective it is
> a
> >>>>> local file system.
> >>>>>
> >>>>> I have always had the following in my smb.conf file:
> >>>>>
> >>>>> follow symlinks = yes
> >>>>>
> >>>>> I have tried adding:
> >>>>>
> >>>>> wide links = yes
> >>>>> AND
> >>>>> unix extensions = no
> >>>>>
> >>>>> to both the [global] section and to my share definition and nothing
> >>>>>
> >>>> works.
> >>>>
> >>>>> Is there a way to get this to work? IS it something that can work in
> >>>>>
> >>>> later
> >>>>
> >>>>> versions of Samba. I know it used to. Both my users and I remember
> it
> >>>>> working so I know I'm not completely crazy.
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Kathy
> >>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>> Hello Kathy,
> >> You can try this parameter
> >>
> >> allow insecure wide links (G)
> >>
> >> In normal operation the option wide links which allows the
> >> server to follow symlinks outside of a share path is automatically
> disabled
> >> when unix
> >> extensions are enabled on a Samba server. This is done for
> >> security purposes to prevent UNIX clients creating symlinks to areas of
> the
> >> server file
> >> system that the administrator does not wish to export.
> >>
> >> Setting allow insecure wide links to true disables the link
> >> between these two parameters, removing this protection and allowing a
> site
> >> to configure the
> >> server to follow symlinks (by setting wide links to "true")
> >> even when unix extensions is turned on.
> >>
> >> If is not recommended to enable this option unless you fully
> >> understand the implications of allowing the server to follow symbolic
> links
> >> created by UNIX
> >> clients. For most normal Samba configurations this would be
> >> considered a security hole and setting this parameter is not
> recommended.
> >>
> >> This option was added at the request of sites who had
> >> deliberately set Samba up in this way and needed to continue supporting
> >> this functionality without
> >> having to patch the Samba code.
> >>
> >> Default: allow insecure wide links = no
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list