[Samba] wide links and privileges
Emmanuel Garette
egarette at cadoles.com
Wed Jan 6 10:09:13 UTC 2016
Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
> From : man smb.conf
>
> Which explains it self.
>
> enable privileges (G)
> [..]
Hi,
Thank you for your answer, would you mind if I ask for some more help ?
I'm sorry I don't understand exactly why you told me to look at the
`enable privileges` parameter in the man pages as an answer.
I have already closely read the documentation and even had a glance at
the samba's source code, and there is absolutely no mention of a
possible conflict between the `enable privileges` parameter and the
`wide links` parameter. Let me show you something in the samba's source
code:
The function which interests us here deals with the file names, there is
an `if` statement:
source3/smbd/filename.c:
```
* @param smbreq SMB request if we're using privileges.
[...]
if (!smbreq) {
status = check_name(conn, (*pp_smb_fname)->base_name);
} else {
status = check_name_with_privilege(conn, smbreq,
(*pp_smb_fname)->base_name);
}
```
which redirects us to the `check_name` or the
`check_name_with_privilege` function.
which themselves respectively redirects to the `check_reduced_name` and
`check_reduced_name_with_privilege` functions:
source3/smbd/vfs.c:
```
NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
[...]
/* Common widelinks and symlinks checks. */
if (!allow_widelinks || !allow_symlinks) {
[...]
if (strncmp(conn_rootdir, resolved_name,
rootdir_len) != 0) {
DEBUG(2, ("check_reduced_name: Bad access "
"attempt: %s is a symlink outside the "
"share path\n", fname));
```
and
```
NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
const char *fname,
struct smb_request *smbreq)
[...]
if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
"attempt: %s is a symlink outside the "
"share path\n",
dir_name));
```
We can see that in the first function there is a test on the
`allow_widelinks` local variable, whereas this test doesn't exist in the
second function.
Which seems to mean that in the first case it works, whereas in the
second case **it doesn't work**...
Anyway, my question is: are you guys really positive on the fact that it
is supposed to work fine if the `enable privileges` parameter is set to
`yes`?
Thank you in advance.
Cheers,
--
Emmanuel Garette
Ingénieur logiciels libres
Cadoles (http://www.cadoles.com)
Experts EOLE, Gaspacho, logiciels libres
More information about the samba
mailing list