[Samba] wide links and privileges
David Bear
dwbear75 at gmail.com
Thu Jan 7 04:33:03 UTC 2016
I was just going through this and thought the security issues made for too
many unknowns for directory traversal outside of what I want samba sharing.
So have you consider a bind mount ? if you have some file system mounted at
/mnt/somefilesystem
and in somfilesystem you have /somefolder/subfolder
you can do a mount --bind /mnt/somefilesystem/somefolder/subfolder
/home/magicbind
and get all the benefits of having magicbind point to some other subfolder
like a symlink but without security issues of a wide link traversal.
I'm new to bind mounts so I don't know what security risks are associated
with them, but they seem like a better alternative than allowing a wide
link.
On Wed, Jan 6, 2016 at 4:03 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai,
>
> I use the following on one of my member servers.
>
> Put set these three in your global smb.conf.
>
> enable privileges = Yes
> unix extensions = No
> allow insecure wide links = Yes
>
>
> And on the share i have set.
> wide links = yes
> follow symlinks = yes
>
> and this is working for years for me.
>
> Try these and report back.
> If its not working tell us you OS and samba version
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel
> Garette
> > Verzonden: woensdag 6 januari 2016 11:09
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] wide links and privileges
> >
> > Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
> > > From : man smb.conf
> > >
> > > Which explains it self.
> > >
> > > enable privileges (G)
> > > [..]
> >
> > Hi,
> >
> > Thank you for your answer, would you mind if I ask for some more help ?
> > I'm sorry I don't understand exactly why you told me to look at the
> > `enable privileges` parameter in the man pages as an answer.
> > I have already closely read the documentation and even had a glance at
> > the samba's source code, and there is absolutely no mention of a
> > possible conflict between the `enable privileges` parameter and the
> > `wide links` parameter. Let me show you something in the samba's source
> > code:
> >
> > The function which interests us here deals with the file names, there is
> > an `if` statement:
> >
> > source3/smbd/filename.c:
> > ```
> > * @param smbreq SMB request if we're using privileges.
> > [...]
> > if (!smbreq) {
> > status = check_name(conn, (*pp_smb_fname)->base_name);
> > } else {
> > status = check_name_with_privilege(conn, smbreq,
> > (*pp_smb_fname)->base_name);
> > }
> > ```
> >
> > which redirects us to the `check_name` or the
> > `check_name_with_privilege` function.
> > which themselves respectively redirects to the `check_reduced_name` and
> > `check_reduced_name_with_privilege` functions:
> >
> > source3/smbd/vfs.c:
> > ```
> > NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
> > [...]
> > /* Common widelinks and symlinks checks. */
> > if (!allow_widelinks || !allow_symlinks) {
> > [...]
> > if (strncmp(conn_rootdir, resolved_name,
> > rootdir_len) != 0) {
> > DEBUG(2, ("check_reduced_name: Bad access "
> > "attempt: %s is a symlink outside the "
> > "share path\n", fname));
> >
> > ```
> > and
> >
> > ```
> > NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
> > const char *fname,
> > struct smb_request *smbreq)
> > [...]
> > if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
> > DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
> > "attempt: %s is a symlink outside the "
> > "share path\n",
> > dir_name));
> > ```
> >
> > We can see that in the first function there is a test on the
> > `allow_widelinks` local variable, whereas this test doesn't exist in the
> > second function.
> > Which seems to mean that in the first case it works, whereas in the
> > second case **it doesn't work**...
> >
> > Anyway, my question is: are you guys really positive on the fact that it
> > is supposed to work fine if the `enable privileges` parameter is set to
> > `yes`?
> > Thank you in advance.
> > Cheers,
> >
> > --
> > Emmanuel Garette
> > Ingénieur logiciels libres
> >
> > Cadoles (http://www.cadoles.com)
> > Experts EOLE, Gaspacho, logiciels libres
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
David Bear
mobile: (602) 903-6476
More information about the samba
mailing list