[Samba] wide links and privileges

Rowland penny rpenny at samba.org
Wed Jan 6 10:57:04 UTC 2016


On 06/01/16 10:09, Emmanuel Garette wrote:
> Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
>>  From :  man smb.conf
>>
>> Which explains it self.
>>
>>         enable privileges (G)
>> [..]
> Hi,
>
> Thank you for your answer, would you mind if I ask for some more help ?
> I'm sorry I don't understand exactly why you told me to look at the
> `enable privileges` parameter in the man pages as an answer.
> I have already  closely read the documentation and even had a glance at
> the samba's source code, and there is absolutely no mention of a
> possible conflict between the `enable privileges` parameter and the
> `wide links` parameter. Let me show you something in the samba's source
> code:
>
> The function which interests us here deals with the file names, there is
> an `if` statement:
>
> source3/smbd/filename.c:
> ```
>   * @param smbreq    SMB request if we're using privileges.
> [...]
>      if (!smbreq) {
>          status = check_name(conn, (*pp_smb_fname)->base_name);
>      } else {
>          status = check_name_with_privilege(conn, smbreq,
> (*pp_smb_fname)->base_name);
>      }
> ```
>
> which redirects us to the `check_name` or the
> `check_name_with_privilege` function.
> which themselves respectively redirects to the `check_reduced_name` and
> `check_reduced_name_with_privilege` functions:
>
> source3/smbd/vfs.c:
> ```
> NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
> [...]
>      /* Common widelinks and symlinks checks. */
>      if (!allow_widelinks || !allow_symlinks) {
> [...]
>          if (strncmp(conn_rootdir, resolved_name,
>                  rootdir_len) != 0) {
>              DEBUG(2, ("check_reduced_name: Bad access "
>                  "attempt: %s is a symlink outside the "
>                  "share path\n", fname));
>
> ```
> and
>
> ```
> NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
>              const char *fname,
>              struct smb_request *smbreq)
> [...]
>          if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
>              DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
>                  "attempt: %s is a symlink outside the "
>                  "share path\n",
>                  dir_name));
> ```
>
> We can see that in the first function there is a test on the
> `allow_widelinks` local variable, whereas this test doesn't exist in the
> second function.
> Which seems to mean that in the first case it works, whereas in the
> second case **it doesn't work**...
>
> Anyway, my question is: are you guys really positive on the fact that it
> is supposed to work fine if the `enable privileges` parameter is set to
> `yes`?
> Thank you in advance.
> Cheers,
>

Go with what Louis suggested and also remove the 'unix extensions' line, 
this will then make samba use the default 'unix extensions = yes' and I 
am fairly sure your problem will go away, but you are opening a security 
hole.

Rowland




More information about the samba mailing list