[Pkg-samba-maint] Bug#551203: Samba unix extensions with symlinks ...

bremer at muenster.de bremer at muenster.de
Sun Feb 21 17:20:31 UTC 2010


Samba unixextensions with symlinks...i would also like to be able to follow
symlinkswhen using a samba share with unixextensions ...
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551203
having this working ( at least without the unixextensions ) is even why i
( and several others ... simply search in some VDRforums and others about
"follow symlinks"/"wide links" )
made the choice to use samba but not nfs....
now someone found a problem allowing unauthorized accesby creating a symlinkwith
unixextensions
and later using it without them to get it followed:
http://www.samba.org/samba/news/symlink_attack.html
( possibly the real reason why they are still disabled with unixextensions )

there is even a way to stop this attack while allowing symlinksto be followed
even with unixextensions ...

now speaking much to simple ...
if the check to where a symlinkpoints wold be called when ( before ! ) creating
the link
and disallowing the creation when the link points outside the scope already
visible to the client
the attack wold be impossible ...

with this done you cold allow following symlinkswhithunixextensions = yes
without any risk ...
( possibly by adding a value 'unix' to the follow symlinks/ wide links parameter
??? )

however only links outside the scope of the share should be followed because
otherwise applications
creating links inside the scope wold be unable to recognize and remove the link
later ....

Ralph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20100221/1fb86a26/attachment.htm>


More information about the Pkg-samba-maint mailing list