[Samba] wide links and privileges

Reindl Harald h.reindl at thelounge.net
Thu Jan 7 10:29:08 UTC 2016 

Am 07.01.2016 um 09:56 schrieb L.P.H. van Belle:
> Yes, mount bind is an option also.
>
> But in my case i have script running which autocreated symlinks to file/folders spread over multiple servers.
>
> And the symlinks are created in the user homedir, and general data folders.
>
> Which makes a mount bind much more resource full.
>
> In my case i need about 180 mount binds..   :-/  which remounts to different files/folders very day.

there is not much difference in maintain 180 symlinks versus bind-mounts 
in a script - we have scripted 155 bind-mounts at boot to replace FTP 
with chrooted sftp on port 22 reused in the LAN with Samba

the main difference is just that you need to create the empty directory 
for the mountpoint if it does not exist and get rid of it when it's no 
longer used

> Van: David Bear [mailto:dwbear75 at gmail.com]
> Verzonden: donderdag 7 januari 2016 5:33
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] wide links and privileges
>
>
>
>
> I was just going through this and thought the security issues made for too many unknowns for directory traversal outside of what I want samba sharing.
>
>
>
>
> So have you consider a bind mount ? if you have some file system mounted at
>
>
> /mnt/somefilesystem
>
>
> and in somfilesystem you have /somefolder/subfolder
>
>
>
>
>
> you can do a mount --bind /mnt/somefilesystem/somefolder/subfolder /home/magicbind
>
>
>
>
>
> and get all the benefits of having magicbind point to some other subfolder like a symlink but without security issues of a wide link traversal.
>
>
>
>
>
> I'm new to bind mounts so I don't know what security risks are associated with them, but they seem like a better alternative than allowing a wide link.
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Jan 6, 2016 at 4:03 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
> Hai,
>
> I use the following on one of my member servers.
>
> Put set these three in your global smb.conf.
>
> enable privileges = Yes
> unix extensions = No
> allow insecure wide links = Yes
>
>
> And on the share i have set.
>     wide links = yes
>     follow symlinks = yes
>
> and this is working for years for me.
>
> Try these and report back.
> If its not working tell us you OS and samba version
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette
>> Verzonden: woensdag 6 januari 2016 11:09
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] wide links and privileges
>
>>
>> Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
>>>  From :  man smb.conf
>>>
>>> Which explains it self.
>>>
>>>          enable privileges (G)
>>> [..]
>>
>> Hi,
>>
>> Thank you for your answer, would you mind if I ask for some more help ?
>> I'm sorry I don't understand exactly why you told me to look at the
>> `enable privileges` parameter in the man pages as an answer.
>> I have already  closely read the documentation and even had a glance at
>> the samba's source code, and there is absolutely no mention of a
>> possible conflict between the `enable privileges` parameter and the
>> `wide links` parameter. Let me show you something in the samba's source
>> code:
>>
>> The function which interests us here deals with the file names, there is
>> an `if` statement:
>>
>> source3/smbd/filename.c:
>> ```
>>    * @param smbreq    SMB request if we're using privileges.
>> [...]
>>       if (!smbreq) {
>>           status = check_name(conn, (*pp_smb_fname)->base_name);
>>       } else {
>>           status = check_name_with_privilege(conn, smbreq,
>> (*pp_smb_fname)->base_name);
>>       }
>> ```
>>
>> which redirects us to the `check_name` or the
>> `check_name_with_privilege` function.
>> which themselves respectively redirects to the `check_reduced_name` and
>> `check_reduced_name_with_privilege` functions:
>>
>> source3/smbd/vfs.c:
>> ```
>> NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
>> [...]
>>       /* Common widelinks and symlinks checks. */
>>       if (!allow_widelinks || !allow_symlinks) {
>> [...]
>>           if (strncmp(conn_rootdir, resolved_name,
>>                   rootdir_len) != 0) {
>>               DEBUG(2, ("check_reduced_name: Bad access "
>>                   "attempt: %s is a symlink outside the "
>>                   "share path\n", fname));
>>
>> ```
>> and
>>
>> ```
>> NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
>>               const char *fname,
>>               struct smb_request *smbreq)
>> [...]
>>           if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
>>               DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
>>                   "attempt: %s is a symlink outside the "
>>                   "share path\n",
>>                   dir_name));
>> ```
>>
>> We can see that in the first function there is a test on the
>> `allow_widelinks` local variable, whereas this test doesn't exist in the
>> second function.
>> Which seems to mean that in the first case it works, whereas in the
>> second case **it doesn't work**...
>>
>> Anyway, my question is: are you guys really positive on the fact that it
>> is supposed to work fine if the `enable privileges` parameter is set to
>> `yes`?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20160107/d85ccc98/signature.sig>

More information about the samba mailing list