[Samba] wide links and privileges

L.P.H. van Belle belle at bazuin.nl
Thu Jan 7 08:56:04 UTC 2016 

Yes, mount bind is an option also. 

 

But in my case i have script running which autocreated symlinks to file/folders spread over multiple servers. 

And the symlinks are created in the user homedir, and general data folders. 

Which makes a mount bind much more resource full. 

In my case i need about 180 mount binds..   :-/  which remounts to different files/folders very day. 

 

Greetz, 

 

Louis

 

 


Van: David Bear [mailto:dwbear75 at gmail.com] 
Verzonden: donderdag 7 januari 2016 5:33
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] wide links and privileges


 

I was just going through this and thought the security issues made for too many unknowns for directory traversal outside of what I want samba sharing.

 


So have you consider a bind mount ? if you have some file system mounted at


/mnt/somefilesystem


 


and in somfilesystem you have /somefolder/subfolder


 


you can do a mount --bind /mnt/somefilesystem/somefolder/subfolder /home/magicbind


 


and get all the benefits of having magicbind point to some other subfolder like a symlink but without security issues of a wide link traversal. 


 


I'm new to bind mounts so I don't know what security risks are associated with them, but they seem like a better alternative than allowing a wide link.


 


 



 

On Wed, Jan 6, 2016 at 4:03 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:

Hai,

I use the following on one of my member servers.

Put set these three in your global smb.conf.

enable privileges = Yes
unix extensions = No
allow insecure wide links = Yes


And on the share i have set.
   wide links = yes
   follow symlinks = yes

and this is working for years for me.

Try these and report back.
If its not working tell us you OS and samba version


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette
> Verzonden: woensdag 6 januari 2016 11:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] wide links and privileges

>
> Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
> > From :  man smb.conf
> >
> > Which explains it self.
> >
> >        enable privileges (G)
> > [..]
>
> Hi,
>
> Thank you for your answer, would you mind if I ask for some more help ?
> I'm sorry I don't understand exactly why you told me to look at the
> `enable privileges` parameter in the man pages as an answer.
> I have already  closely read the documentation and even had a glance at
> the samba's source code, and there is absolutely no mention of a
> possible conflict between the `enable privileges` parameter and the
> `wide links` parameter. Let me show you something in the samba's source
> code:
>
> The function which interests us here deals with the file names, there is
> an `if` statement:
>
> source3/smbd/filename.c:
> ```
>  * @param smbreq    SMB request if we're using privileges.
> [...]
>     if (!smbreq) {
>         status = check_name(conn, (*pp_smb_fname)->base_name);
>     } else {
>         status = check_name_with_privilege(conn, smbreq,
> (*pp_smb_fname)->base_name);
>     }
> ```
>
> which redirects us to the `check_name` or the
> `check_name_with_privilege` function.
> which themselves respectively redirects to the `check_reduced_name` and
> `check_reduced_name_with_privilege` functions:
>
> source3/smbd/vfs.c:
> ```
> NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
> [...]
>     /* Common widelinks and symlinks checks. */
>     if (!allow_widelinks || !allow_symlinks) {
> [...]
>         if (strncmp(conn_rootdir, resolved_name,
>                 rootdir_len) != 0) {
>             DEBUG(2, ("check_reduced_name: Bad access "
>                 "attempt: %s is a symlink outside the "
>                 "share path\n", fname));
>
> ```
> and
>
> ```
> NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
>             const char *fname,
>             struct smb_request *smbreq)
> [...]
>         if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
>             DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
>                 "attempt: %s is a symlink outside the "
>                 "share path\n",
>                 dir_name));
> ```
>
> We can see that in the first function there is a test on the
> `allow_widelinks` local variable, whereas this test doesn't exist in the
> second function.
> Which seems to mean that in the first case it works, whereas in the
> second case **it doesn't work**...
>
> Anyway, my question is: are you guys really positive on the fact that it
> is supposed to work fine if the `enable privileges` parameter is set to
> `yes`?
> Thank you in advance.
> Cheers,
>
> --
> Emmanuel Garette
> Ingénieur logiciels libres
>
> Cadoles (http://www.cadoles.com)
> Experts EOLE, Gaspacho, logiciels libres
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba








 


-- 

David Bear

mobile: (602) 903-6476


 

More information about the samba mailing list