[Samba] Symlink outside the share path

Kathy banshee135 at gmail.com
Wed Aug 20 11:27:29 MDT 2014 

Hi John --

It doesn't seem to like "wide links" or "wide symlinks".

[2014/08/20 10:10:56, 0] param/loadparm.c:map_parameter(2794)
  Unknown parameter encountered: "wide symlinks"

I have confirmed that on an old Samba server of mine on an old machine
(Samba 3.0.5), I can do this just fine.  But on any of the newer Redhat
Linux distros I can't and none of these options are working.  Has anyone
running RHEL 5.X or 6.X gotten this to work to bypass the security on
symlinks?

Thanks --

Kathy


On Wed, Aug 20, 2014 at 9:54 AM, Taylor, Jonn <jonnt at taylortelephone.com>
wrote:

> Try this.
>
> follow symlinks = yes
> wide symlinks = yes
> unix extensions = no #if needed
>
>
> On 08/19/2014 09:39 PM, Kathy wrote:
> > Hi Achim --
> >
> > Boy, that sounds like what I need.  Although I'm getting this when Samba
> > tries reloading smb.conf:
> >
> > [2014/08/19 19:31:30, 0] param/loadparm.c:map_parameter(2794)
> >   Unknown parameter encountered: "allow insecure wide links"
> >
> > This is Samba Version 3.0.33-3.40.el5_10 through Redhat RPM.  Makes me
> > think that isn't part of this distro.
> >
> > Kathy
> >
> >
> >
> >
> > On Tue, Aug 19, 2014 at 7:27 PM, Achim Gottinger <achim at ag-web.biz>
> wrote:
> >
> >> Am 20.08.2014 04:09, schrieb Kathy:
> >>
> >>  Thanks for the reply, John.  I already do have follow symlinks = yes
> set
> >>> in
> >>> my smb.conf file but it doesn't appear to be honoring it outside the
> >>> /datavol/asic filesystem.
> >>>
> >>> Kathy
> >>>
> >>>
> >>> On Tue, Aug 19, 2014 at 5:50 PM, Taylor, Jonn <
> jonnt at taylortelephone.com>
> >>> wrote:
> >>>
> >>>          follow symlinks (S)
> >>>>             This parameter allows the Samba administrator to stop
> smbd(8)
> >>>> from following symbolic links in a particular share. Setting this
> >>>> parameter to no
> >>>>             prevents any file or directory that is a symbolic link
> from
> >>>> being followed (the user will get an error). This option is very
> useful
> >>>> to stop users
> >>>>             from adding a symbolic link to /etc/passwd in their home
> >>>> directory for instance. However it will slow filename lookups down
> >>>> slightly.
> >>>>
> >>>>             This option is enabled (i.e.  smbd will follow symbolic
> >>>> links) by default.
> >>>>
> >>>>             Default: follow symlinks = yes
> >>>>
> >>>> On 08/19/2014 07:18 PM, Kathy wrote:
> >>>>
> >>>>> Hello everyone --
> >>>>>
> >>>>> I am stumped on this issue, mostly because I'm not quite sure if it's
> >>>>> behaving correctly or not.  I believe this used to work and right now
> >>>>> I'm
> >>>>> not quite sure why it's no longer doing so and how to fix it (if
> >>>>>
> >>>> possible).
> >>>>
> >>>>>   I suspect it is because of my recent update of the OS and Samba
> >>>>> version.
> >>>>>
> >>>>> When users are trying to follow a symlink that goes to a different
> >>>>>
> >>>> mounted
> >>>>
> >>>>> filesystem on the same Samba server, they are getting:
> >>>>> *  reduce_name: Bad access attempt: <path> is a symlink outside the
> >>>>> share
> >>>>> path*
> >>>>>
> >>>>>
> >>>>> I have a server that is both an NFS and a Samba server.  It is
> running
> >>>>>
> >>>> RHEL
> >>>>
> >>>>> 5.10 and Samba 3.0.33 (native RHEL packages). I recently patched from
> >>>>> 5.2
> >>>>> to 5.10 and this also updated Samba to the current release.
> >>>>>
> >>>>> My smb.conf file has me exporting /datavol/asic.as \\myserver\asic.
> >>>>> This works just fine for all users on Windows for files/subdirs in
> that
> >>>>> /datavol/asic path.
> >>>>>
> >>>>> The problem comes when they try to get to files that are softlinked
> to
> >>>>> /globalscratch2 from /datavol/asic directories.
> >>>>>
> >>>>> I have tried this both with and without exporting /globalscratch2 via
> >>>>> Samba.  Same results.
> >>>>>
> >>>>> Previously, I had not exported /globalscratch2.
> >>>>>
> >>>>> If someone had a simlink that was like this:
> >>>>>
> >>>>> /datavol/asic/banshee/sim --> /globalscratch2/banshee/sim
> >>>>>
> >>>>> They would be able to get to it with this path no problem:
> >>>>> \\myserver\banshee\sim
> >>>>>
> >>>>> Any non-symbolic link subdirs are accessible just fine like this
> >>>>> \\myserver\banshee\localsubdir
> >>>>>
> >>>>> I have another scratch dir NFS mounted on myserver as
> /globalscratch.  I
> >>>>>
> >>>> am
> >>>>
> >>>>> not exporting this via Samba from myserver because it doesn't own the
> >>>>> filesystem.  I would understand the "symlink outside the share path"
> >>>>> with
> >>>>> an NFS mount on myserver, although from myserver's perspective it is
> a
> >>>>> local file system.
> >>>>>
> >>>>> I have always had the following in my smb.conf file:
> >>>>>
> >>>>> follow symlinks = yes
> >>>>>
> >>>>> I have tried adding:
> >>>>>
> >>>>> wide links = yes
> >>>>> AND
> >>>>> unix extensions = no
> >>>>>
> >>>>> to both the [global] section and to my share definition and nothing
> >>>>>
> >>>> works.
> >>>>
> >>>>> Is there a way to get this to work?  IS it something that can work in
> >>>>>
> >>>> later
> >>>>
> >>>>> versions of Samba.  I know it used to.  Both my users and I remember
> it
> >>>>> working so I know I'm not completely crazy.
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Kathy
> >>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>  Hello Kathy,
> >> You can try this parameter
> >>
> >>  allow insecure wide links (G)
> >>
> >>            In normal operation the option wide links which allows the
> >> server to follow symlinks outside of a share path is automatically
> disabled
> >> when unix
> >>            extensions are enabled on a Samba server. This is done for
> >> security purposes to prevent UNIX clients creating symlinks to areas of
> the
> >> server file
> >>            system that the administrator does not wish to export.
> >>
> >>            Setting allow insecure wide links to true disables the link
> >> between these two parameters, removing this protection and allowing a
> site
> >> to configure the
> >>            server to follow symlinks (by setting wide links to "true")
> >> even when unix extensions is turned on.
> >>
> >>            If is not recommended to enable this option unless you fully
> >> understand the implications of allowing the server to follow symbolic
> links
> >> created by UNIX
> >>            clients. For most normal Samba configurations this would be
> >> considered a security hole and setting this parameter is not
> recommended.
> >>
> >>            This option was added at the request of sites who had
> >> deliberately set Samba up in this way and needed to continue supporting
> >> this functionality without
> >>            having to patch the Samba code.
> >>
> >>            Default: allow insecure wide links = no
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list