[Samba] wide links and privileges

Thu Jan 7 04:33:03 UTC 2016

I was just going through this and thought the security issues made for too
many unknowns for directory traversal outside of what I want samba sharing.

So have you consider a bind mount ? if you have some file system mounted at
/mnt/somefilesystem

and in somfilesystem you have /somefolder/subfolder

you can do a mount --bind /mnt/somefilesystem/somefolder/subfolder
/home/magicbind

and get all the benefits of having magicbind point to some other subfolder
like a symlink but without security issues of a wide link traversal.

I'm new to bind mounts so I don't know what security risks are associated
with them, but they seem like a better alternative than allowing a wide
link.

On Wed, Jan 6, 2016 at 4:03 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:

> Hai,
>
> I use the following on one of my member servers.
>
> Put set these three in your global smb.conf.
>
> enable privileges = Yes
> unix extensions = No
> allow insecure wide links = Yes
>
>
> And on the share i have set.
>    wide links = yes
>    follow symlinks = yes
>
> and this is working for years for me.
>
> Try these and report back.
> If its not working tell us you OS and samba version
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel
> Garette
> > Verzonden: woensdag 6 januari 2016 11:09
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] wide links and privileges
> >
> > Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
> > > From :  man smb.conf
> > >
> > > Which explains it self.
> > >
> > >        enable privileges (G)
> > > [..]
> >
> > Hi,
> >
> > Thank you for your answer, would you mind if I ask for some more help ?
> > I'm sorry I don't understand exactly why you told me to look at the
> > `enable privileges` parameter in the man pages as an answer.
> > I have already  closely read the documentation and even had a glance at
> > the samba's source code, and there is absolutely no mention of a
> > possible conflict between the `enable privileges` parameter and the
> > `wide links` parameter. Let me show you something in the samba's source
> > code:
> >
> > The function which interests us here deals with the file names, there is
> > an `if` statement:
> >
> > source3/smbd/filename.c:
> > ```
> >  * @param smbreq    SMB request if we're using privileges.
> > [...]
> >     if (!smbreq) {
> >         status = check_name(conn, (*pp_smb_fname)->base_name);
> >     } else {
> >         status = check_name_with_privilege(conn, smbreq,
> > (*pp_smb_fname)->base_name);
> >     }
> > ```
> >
> > which redirects us to the `check_name` or the
> > `check_name_with_privilege` function.
> > which themselves respectively redirects to the `check_reduced_name` and
> > `check_reduced_name_with_privilege` functions:
> >
> > source3/smbd/vfs.c:
> > ```
> > NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
> > [...]
> >     /* Common widelinks and symlinks checks. */
> >     if (!allow_widelinks || !allow_symlinks) {
> > [...]
> >         if (strncmp(conn_rootdir, resolved_name,
> >                 rootdir_len) != 0) {
> >             DEBUG(2, ("check_reduced_name: Bad access "
> >                 "attempt: %s is a symlink outside the "
> >                 "share path\n", fname));
> >
> > ```
> > and
> >
> > ```
> > NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
> >             const char *fname,
> >             struct smb_request *smbreq)
> > [...]
> >         if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
> >             DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
> >                 "attempt: %s is a symlink outside the "
> >                 "share path\n",
> >                 dir_name));
> > ```
> >
> > We can see that in the first function there is a test on the
> > `allow_widelinks` local variable, whereas this test doesn't exist in the
> > second function.
> > Which seems to mean that in the first case it works, whereas in the
> > second case **it doesn't work**...
> >
> > Anyway, my question is: are you guys really positive on the fact that it
> > is supposed to work fine if the `enable privileges` parameter is set to
> > `yes`?
> > Thank you in advance.
> > Cheers,
> >
> > --
> > Emmanuel Garette
> > Ingénieur logiciels libres
> >
> > Cadoles (http://www.cadoles.com)
> > Experts EOLE, Gaspacho, logiciels libres
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
David Bear
mobile: (602) 903-6476