[Samba] Status of SMB3 POSIX symlinks
Aurélien Aptel
aaptel at suse.com
Tue Jan 26 16:15:00 UTC 2021
"Dorian Taylor (Lists)" <lists at doriantaylor.com> writes:
> I am indeed only after symlinks that work within the share, but as somebody who works almost exclusively on POSIX platforms, I know that the lack of proper symlinks is going to mess me up. I am currently using OpenAFS but it is slow, uses weaker encryption, needs additional client software (including compiling kernel modules which makes APT upgrades take forever) and requires its own special partitions instead of exporting a native one. I was hoping to shed it for something more mainstream, but alas, symlinks.
symlinks are tricky for security reasons. There are many edge cases that
JRA (Jeremy Allison) can tell you about if he feels like commenting here
but basically if the client can store symlinks on the server as actual
symlinks, you might run into issues where the client can access things
outside of the share it is supposed to be limited to (via .. or absolute
paths).
On top of that, symlinks can be nested and checking/creating symlinks
must be done atomically or you can exploit Time-of-check-time-of-use
race conditions [1].
For your usecase though, mfsymlinks should be ok.
1: https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
More information about the samba
mailing list