[Samba] wide links and privileges

Emmanuel Garette egarette at cadoles.com
Wed Jan 6 10:09:13 UTC 2016 

Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
> From :  man smb.conf
>
> Which explains it self. 
>
>        enable privileges (G)
> [..]

Hi,

Thank you for your answer, would you mind if I ask for some more help ?
I'm sorry I don't understand exactly why you told me to look at the
`enable privileges` parameter in the man pages as an answer.
I have already  closely read the documentation and even had a glance at
the samba's source code, and there is absolutely no mention of a
possible conflict between the `enable privileges` parameter and the
`wide links` parameter. Let me show you something in the samba's source
code:

The function which interests us here deals with the file names, there is
an `if` statement:

source3/smbd/filename.c:
```
 * @param smbreq    SMB request if we're using privileges.
[...]
    if (!smbreq) {
        status = check_name(conn, (*pp_smb_fname)->base_name);
    } else {
        status = check_name_with_privilege(conn, smbreq,
(*pp_smb_fname)->base_name);
    }
```

which redirects us to the `check_name` or the
`check_name_with_privilege` function.
which themselves respectively redirects to the `check_reduced_name` and
`check_reduced_name_with_privilege` functions:

source3/smbd/vfs.c:
```
NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
[...]
    /* Common widelinks and symlinks checks. */
    if (!allow_widelinks || !allow_symlinks) {
[...]
        if (strncmp(conn_rootdir, resolved_name,
                rootdir_len) != 0) {
            DEBUG(2, ("check_reduced_name: Bad access "
                "attempt: %s is a symlink outside the "
                "share path\n", fname));

```
and

```
NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
            const char *fname,
            struct smb_request *smbreq)
[...]
        if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
            DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
                "attempt: %s is a symlink outside the "
                "share path\n",
                dir_name));
```

We can see that in the first function there is a test on the
`allow_widelinks` local variable, whereas this test doesn't exist in the
second function.
Which seems to mean that in the first case it works, whereas in the
second case **it doesn't work**...

Anyway, my question is: are you guys really positive on the fact that it
is supposed to work fine if the `enable privileges` parameter is set to
`yes`?
Thank you in advance.
Cheers,

-- 
Emmanuel Garette
Ingénieur logiciels libres

Cadoles (http://www.cadoles.com)
Experts EOLE, Gaspacho, logiciels libres

More information about the samba mailing list