[Samba] widelinks_warning - but unix extensions *are* off
Thomas Werschlein
thomas.werschlein at geo.uzh.ch
Thu Nov 5 13:48:55 UTC 2015
You tried to be helpful. I appreciate that, thank you.
Best, Thomas
> On 04.11.2015, at 17:52, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>
> Sure, but did you even try my advice.. ??
>
> So again.. from smb.conf
>
> unix extensions (G)
> allow insecure wide links (G)
> wide links (S)
> follow symlinks (S)
> G = Global
> S = Share
>
>
> So here you are lazy ... ( fill the dots..) ;-)
> Read below .... from : man smb.conf
>
> In normal operation the option wide links which allows the server to follow symlinks outside of a share path is automatically disabled when unix extensions are enabled on a Samba server.
>
> This is done for security purposes to prevent UNIX clients creating
> symlinks to areas of the server file system that the administrator
> does not wish to export.
>
> Setting allow insecure wide links to true disables the link between
> these two parameters, removing this protection and allowing a site
> to configure the server to follow symlinks (by setting wide links
> to "true") even when unix extensions is turned on.
>
> If is not recommended to enable this option unless you fully
> understand the implications of allowing the server to follow
> symbolic links created by UNIX clients. For most normal Samba
> configurations this would be considered a security hole and setting
> this parameter is not recommended.
>
> This option was added at the request of sites who had deliberately
> set Samba up in this way and needed to continue supporting this
> functionality without having to patch the Samba code.
>
> Default: allow insecure wide links = no
>
> unix extensions (G)
> This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features
> such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.
>
> Note if this parameter is turned on, the wide links parameter will automatically be disabled.
> See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.
> Default: unix extensions = yes
>
> wide links (S)
> This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported.
>
> Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.
>
> See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.
> Default: wide links = no
>
>
> follow symlinks (S)
> This parameter allows the Samba administrator to stop smbd(8) from following symbolic links in a particular share. Setting this parameter to no prevents any file or directory that is a
> symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic link to /etc/passwd in their home directory for instance.
> However it will slow filename lookups down slightly.
>
> This option is enabled (i.e. smbd will follow symbolic links) by default.
> Default: follow symlinks = yes
>
> So again..
> Your setup is incorrect, if you wont look/read..
> well, you on your own then.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: Thomas Werschlein [mailto:thomas.werschlein at geo.uzh.ch]
>> Verzonden: woensdag 4 november 2015 17:31
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] widelinks_warning - but unix extensions *are* off
>>
>> This is getting nowhere ...
>>
>> man smb.conf yourself: "All S parameters can also be specified in the
>> [global] section - in which case they will define the default behavior for
>> all services." If you have any special knowledge about why this should not
>> be applicable for "wide links", please elaborate.
>>
>> Thomas
>>
>>> On 04.11.2015, at 16:59, L.P.H. van Belle <belle at bazuin.nl> wrote:
>>>
>>> Again...
>>>
>>> Global ONLY smb.conf options:
>>> unix extensions = No
>>> allow insecure wide links = Yes
>>>
>>> Per share ONLY smb.conf options:
>>> ## and share options niet global used.
>>> wide links = yes
>>> follow symlinks = yes
>>>
>>> unix extensions are enabled =>> wide links are disabled automaticly.
>>> Set : allow insecure wide links = Yes
>>> I dont see it in you smb.conf..
>>>
>>> wide links = yes is in you GLOBAL smb.conf and not in the share..
>>>
>>> Review your setup again, you have configuation errors!
>>> man smb.conf
>>> Its all there..
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Thomas
>> Werschlein
>>>> Verzonden: woensdag 4 november 2015 15:58
>>>> Aan: Rowland Penny
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] widelinks_warning - but unix extensions *are*
>> off
>>>>
>>>>
>>>>> On 03.11.2015, at 11:50, Thomas Werschlein
>>>> <thomas.werschlein at geo.uzh.ch> wrote:
>>>>>
>>>>>>
>>>>>> On 02.11.2015, at 20:25, Rowland Penny <rowlandpenny241155 at gmail.com>
>>>> wrote:
>>>>>>
>>>>>> On 02/11/15 17:08, Thomas Werschlein wrote:
>>>>>>>> On 02.11.2015, at 16:25, Rowland Penny
>> <rowlandpenny241155 at gmail.com>
>>>> wrote:
>>>>>>>>
>>>>>>>> Well he didn't write what I asked for, can you please post your
>>>> entire smb.conf, please do not use testparm, please post as is
>> (although
>>>> you can sanitise any sensitive info)
>>>>>>> Sorry, missed that part. Here we go.
>>>>>>> Regards, Thomas
>>>>>>>
>>>>>>> [global]
>>>>>>> available = yes
>>>>>>> smb2 leases = yes
>>>>>>> dbwrap_tdb_mutexes:* = yes
>>>>>>>
>>>>>>> fruit:resource = xattr
>>>>>>> kerberos method = system keytab
>>>>>>>
>>>>>>> smb ports = 445
>>>>>>>
>>>>>>> log level = 0
>>>>>>> log file =/usr/local/samba-4.2.5/var/logs_per_client/log.%m
>>>>>>>
>>>>>>> max open files = 262144
>>>>>>>
>>>>>>> realm = D.SOME.ORG.TLD
>>>>>>> workgroup = D
>>>>>>> security = ADS
>>>>>>> disable netbios = yes
>>>>>>> local master = no
>>>>>>> domain master = no
>>>>>>>
>>>>>>> host msdfs = no
>>>>>>>
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 1000000-1999999
>>>>>>> idmap config D : backend = nss
>>>>>>> idmap config D : range = 1000-999999
>>>>>>> idmap negative cache time = 0
>>>>>>>
>>>>>>> netbios name = FSRV
>>>>>>> server signing = auto
>>>>>>> create mask = 0644
>>>>>>> server string =
>>>>>>> hide dot files = yes
>>>>>>> hide files = /Maildir/$RECYCLE.BIN/desktop.ini
>>>>>>> load printers = no
>>>>>>> printing = bsd
>>>>>>> printcap name = /dev/null
>>>>>>> deadtime = 15
>>>>>>>
>>>>>>> interfaces = 192.168.222.77/32
>>>>>>> bind interfaces only = yes
>>>>>>>
>>>>>>> unix extensions = no
>>>>>>>
>>>>>>> map untrusted to domain = yes
>>>>>>>
>>>>>>> username map script = /usr/local/samba-
>>>> 4.2.5/etc/samba/mapcomputers.sh
>>>>>>>
>>>>>>> shadow:snapdir = .zfs/snapshot
>>>>>>> shadow:sort = desc
>>>>>>> shadow:localtime = yes
>>>>>>> shadow:format = %Y%m%d%H%M
>>>>>>> wide links = yes
>>>>>>>
>>>>>>> vfs objects = full_audit
>>>>>>> full_audit:prefix = %u|%I|%m|%S
>>>>>>> full_audit:success = mkdir rename rmdir pwrite
>>>>>>> full_audit:failure = none
>>>>>>> full_audit:facility = LOCAL7
>>>>>>> full_audit:priority = NOTICE
>>>>>>>
>>>>>>> aio read size = 1
>>>>>>> aio write size =1
>>>>>>>
>>>>>>> [homes]
>>>>>>> path = /pool1/home/%S
>>>>>>> read only = no
>>>>>>> browseable = no
>>>>>>> create mask = 0640
>>>>>>> directory mask = 0750
>>>>>>> ea support = yes
>>>>>>> store dos attributes = yes
>>>>>>>
>>>>>>> vfs objects = shadow_copy2 fruit streams_xattr zfsacl full_audit
>>>>>>> nt acl support = yes
>>>>>>> inherit acls = no
>>>>>>>
>>>>>>> [group]
>>>>>>> read only = no
>>>>>>> path = /pool1/group
>>>>>>> hide unreadable = yes
>>>>>>> comment = Group spaces of %U
>>>>>>> create mask = 0660
>>>>>>> directory mask = 0770
>>>>>>> force create mode = 0660
>>>>>>> force directory mode = 0770
>>>>>>> ea support = yes
>>>>>>> store dos attributes = yes
>>>>>>> map archive = No
>>>>>>> map hidden = No
>>>>>>> map system = No
>>>>>>> map readonly = No
>>>>>>> vfs objects = fruit streams_xattr zfsacl
>>>>>>> acl map full control = False
>>>>>>> nt acl support = no
>>>>>>> inherit acls = no
>>>>>>>
>>>>>>> [web]
>>>>>>> read only = no
>>>>>>> path = /pool1/web
>>>>>>> hide unreadable = yes
>>>>>>> comment = Web spaces
>>>>>>> create mask = 0664
>>>>>>> directory mask = 0775
>>>>>>> force create mode = 0664
>>>>>>> force directory mode = 0775
>>>>>>> ea support = yes
>>>>>>> store dos attributes = yes
>>>>>>> map archive = No
>>>>>>> map hidden = No
>>>>>>> map system = No
>>>>>>> map readonly = No
>>>>>>> vfs objects = zfsacl full_audit
>>>>>>> acl map full control = False
>>>>>>> nt acl support = no
>>>>>>> inherit acls = no
>>>>>>>
>>>>>>> [data]
>>>>>>> path = /pool1/data
>>>>>>> hide unreadable = yes
>>>>>>> read only = no
>>>>>>> ea support = yes
>>>>>>> store dos attributes = yes
>>>>>>> map archive = No
>>>>>>> map hidden = No
>>>>>>> map system = No
>>>>>>> map readonly = No
>>>>>>> vfs objects = zfsacl full_audit
>>>>>>> acl map full control = False
>>>>>>> nt acl support = no
>>>>>>> inherit acls = no
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> 'unix extensions' is supposed to be set as a global option and if
>>>> turned on, is supposed to automatically turn off 'wide links'. However
>>>> 'wide links' has been set to on, but globally rather than on a share by
>>>> share basis, this should turn off the warning message you are getting,
>> but
>>>> isn't. Perhaps the reason is the way you have set 'wide links', try
>> using
>>>> it on a share by share basis and see if it stops the messages. If that
>>>> doesn't work, you could try adding 'allow insecure wide links' to the
>>>> global section of your smb.conf
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> Thanks for pointing out that 'wide links' is a per share option. We
>>>> (mis-)used it as global option ever since samba 3.5.x, when the default
>>>> for 'wide links' changed. Made it a share option now. I'll report back
>> if
>>>> it stopped the messages.
>>>>>
>>>>> Best, Thomas
>>>>
>>>> Still throwing the warning message. Now that 'wide link=yes' is not
>>>> defined as default for every share, it's clear that samba gets it's
>> config
>>>> messed up somehow:
>>>>
>>>> [2015/11/04 13:51:51.777783, 0]
>>>> ../source3/param/loadparm.c:4306(widelinks_warning)
>>>> Share 'web' has wide links and unix extensions enabled. These
>> parameters
>>>> are incompatible. Wide links will be disabled for this share.
>>>>
>>>> The share 'web' does not have vfs_shadow_copy2 enabled, therefore no
>> need
>>>> for 'wide links'. Still, the warning message pops up (and no, 'allow
>>>> insecure wide links' does not prevent it neither). BTW: I just double
>>>> checked, defining 'wide link' in the global section is fine according
>> to
>>>> the man page. No misuse there.
>>>>
>>>> To me, it still looks like a nasty runtime problem, not a configuration
>>>> issue.
>>>>
>>>> Regards, Thomas
>>>>
More information about the samba
mailing list