[Samba] Wide links and insecure wide links

Jeremy Allison jra at samba.org
Wed Feb 28 18:19:58 UTC 2018

On Wed, Feb 28, 2018 at 01:39:09PM +0000, Stilez via samba wrote:
> I'd like to understand reasonably fully,, the difference between the two
> options "wide links" and "allow insecure wide links" in smb.conf. The docs
> make them sound very similar but as there are obvious security implications
> for anything to do with symlink scope, it's important to know what each of
> them allows/blocks and where they differ.

Setting "allow insecure wide links" to true allows
clients to create SMB1 UNIX extension symlinks on
the server filesystem that *THE SERVER WILL FOLLOW*.

You can see why this is a problem. The SMB2 UNIX
extensions will eliminate this possibility by
changing client-stored symlinks into a datastore
that the server will never follow. SMB2 UNIX extensions
are currently being coded up as a test branch (not
even experimental yet).

More information about the samba mailing list