I'd like to understand reasonably fully,, the difference between the two options "wide links" and "allow insecure wide links" in smb.conf. The docs make them sound very similar but as there are obvious security implications for anything to do with symlink scope, it's important to know what each of them allows/blocks and where they differ. Interestingly, only the second of them is tagged as explicitly being a significant security hole to leave open, so presumably there's quite a difference. Assuming that "follow symlinks" is at its default "yes", what is the practical and security difference/implication between enabling these two params? (NB - if someone wants to update the docs for "wide links", it might be worthwhile to add more there.) Thanks, Stilez
On Wed, Feb 28, 2018 at 01:39:09PM +0000, Stilez via samba wrote:> I'd like to understand reasonably fully,, the difference between the two > options "wide links" and "allow insecure wide links" in smb.conf. The docs > make them sound very similar but as there are obvious security implications > for anything to do with symlink scope, it's important to know what each of > them allows/blocks and where they differ.Setting "allow insecure wide links" to true allows clients to create SMB1 UNIX extension symlinks on the server filesystem that *THE SERVER WILL FOLLOW*. You can see why this is a problem. The SMB2 UNIX extensions will eliminate this possibility by changing client-stored symlinks into a datastore that the server will never follow. SMB2 UNIX extensions are currently being coded up as a test branch (not even experimental yet).
Thanks - that much I (pretty much) got. Its really the "wide links" option that isn't well distinguished/clarified. *insecure* wide links is much more clear, although the detail you've given helps a lot. What exactly is the "ordinary" "wide links = yes" option going to do (with or without Unix extensions), and how does it compare/how much exposure to mischief does it expose? On 28 February 2018 18:20:02 Jeremy Allison <jra at samba.org> wrote:> On Wed, Feb 28, 2018 at 01:39:09PM +0000, Stilez via samba wrote: >> I'd like to understand reasonably fully,, the difference between the two >> options "wide links" and "allow insecure wide links" in smb.conf. The docs >> make them sound very similar but as there are obvious security implications >> for anything to do with symlink scope, it's important to know what each of >> them allows/blocks and where they differ. > > Setting "allow insecure wide links" to true allows > clients to create SMB1 UNIX extension symlinks on > the server filesystem that *THE SERVER WILL FOLLOW*. > > You can see why this is a problem. The SMB2 UNIX > extensions will eliminate this possibility by > changing client-stored symlinks into a datastore > that the server will never follow. SMB2 UNIX extensions > are currently being coded up as a test branch (not > even experimental yet).
Possibly Parallel Threads
- Wide links and insecure wide links
- Wide links and insecure wide links
- Wide links and insecure wide links
- Feedback request on a tentative proposal to enhance smb.conf symlink-related params
- Allow insecure wide links = yes, wide links =yes; but I still can't "see" files from links to NFS mounts using 3.6.15, after upgrading from 2.2.8a