[Pkg-samba-maint] Bug#866823: Bug#866823: samba: does not follow symbolic links
Ritesh Raj Sarraf
rrs at debian.org
Mon Nov 23 10:15:16 GMT 2020
On Mon, 2020-11-23 at 10:12 +0100, Mathieu Parent wrote:
> > The (insecure) workaround mentioned in this bug report, that of:
> >
> > # For symlink hack
> > wide links = yes
> > allow insecure wide links = yes
> >
> >
> > makes it work again.
>
> Do you have path=/ ?
>
No. What I have is below.
rrs at chutzpah:/var/log/samba$ grep path /etc/samba/smb.conf
; logon path = \\%N\profiles\%U
# logon path = \\%N\%U\profile
path = /media/rrs/EXDATA
path = /media/rrs/4TBWD
path = /media/rrs/4TBWD
path = /home/rrs/Trans/
; path = /home/samba/netlogon
# users profiles (see the "logon path" option above)
# The path below should be writable by all users so that their
; path = /home/samba/profiles
path = /var/spool/samba
path = /var/lib/samba/printers
15:40 ♒♒♒ ☺
> Also, from the 4.13 WHATSNEW.txt:
>
> > wide links functionality
> > ------------------------
> >
> > For this release, the code implementing the insecure "wide links =
> > yes"
> > functionality has been moved out of the core smbd code and into a
> > separate
> > VFS module, vfs_widelinks. Currently this vfs module is implicitly
> > loaded
> > by smbd as the last but one module before vfs_default if "wide
> > links = yes"
> > is enabled on the share (note, the existing restrictions on
> > enabling wide
> > links around the SMB1 "unix extensions" and the "allow insecure
> > wide links"
> > parameters are still in force). The implicit loading was done to
> > allow
> > existing users of "wide links = yes" to keep this functionality
> > without
> > having to make a change to existing working smb.conf files.
> >
> > Please note that the Samba developers recommend changing any Samba
> > installations that currently use "wide links = yes" to use bind
> > mounts
> > as soon as possible, as "wide links = yes" is an inherently
> > insecure
> > configuration which we would like to remove from Samba. Moving the
> > feature into a VFS module allows this to be done in a cleaner way
> > in future.
> >
> > A future release to be determined will remove this implicit
> > linkage,
> > causing administrators who need this functionality to have to
> > explicitly
> > add the vfs_widelinks module into the "vfs objects =" parameter
> > lists.
> > The release notes will be updated to note this change when it
> > occurs.
>
> Can't you use bind mounts?
I only enabled " wide links = yes" today, when I noticed that the
upgrade has cause my shares to be inaccessible, for the symlink
folders.
I would rather prefer to not use "wide links = yes" at all and instead
just be able to use symlinks feature, with say, something like the
below which had been working until the last upgrade.
[EXDATA]
comment = EXDATA
browseable = yes
follow symlinks = yes
read only = no
create mask = 0770
directory mask = 0770
path = /media/rrs/EXDATA
--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20201123/735f5812/attachment.sig>
More information about the Pkg-samba-maint
mailing list