[Samba] symlinks loop detection in Samba?
Nico Kadel-Garcia
nkadel at gmail.com
Wed Jan 20 00:26:49 UTC 2021
On Tue, Jan 19, 2021 at 12:49 PM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 19/01/2021 17:37, Jeremy Allison via samba wrote:
> > On Tue, Jan 19, 2021 at 04:05:47PM +0100, Giuseppe Lo Presti via samba
> > wrote:
> >>
> >> Thanks a lot Ralph,
> >>
> >> To be honest I did not wait for the 40 resolutions to be exceeded, as
> >> currently [*] implemented by the kernel, and thought that some loop
> >> detection would get triggered earlier (similarly to how e.g. `find
> >> -L` is implemented). Indeed I confirm that a Windows client looking
> >> to the properties of a shared folder with only one symlink to '.'
> >> does see exactly 40 folders, so it's all consistent.
> >>
> >> At the same time, I acknowledge we must keep a loop protection in our
> >> filesystem, because in the general case it does take too much time to
> >> reach 40 path resolutions when a real folder structure is involved,
> >> and a DoS is already happening.
> >>
> >> Cheers,
> >> Giuseppe
> >>
> >>
> >> P.S.: out of curiosity, why did you say "I hate to say, symlinks are
> >> fully supported"? :-)
> >
> > Symlinks are a blight on a perfectly well designed filesystem. Once
> > the VFS work is finished, expect an epic rant (talk :-) I'm planning
> > to give :-). Not often I'll say this, but Microsoft got it right
> > in Windows on this point.
> >
> Which is why I never understood why the default for 'follow symlinks' is
> 'yes'. I also cannot understand why 'allow insecure wide links' was
> created, probably someone asked for it, but they should have been told no.
>
> Rowland
They're much too often used to simply discard outright, especially for
re-arranging mounted filesystems or shard content. Even popular
software repository tools like the centos repositories use them
extensively, linking centos/8 to centos/8.0, centos/8.1, centos/8.2,
one after the other. Denying this feature to, for example, CIFS based
access to a software repositpory is simply breaking things that have
worked since well since Samba was first published.
More information about the samba
mailing list