samba - Feb 2018 - Wide links and insecure wide links

Thanks - that much I (pretty much) got.

Its really the "wide links" option that isn't well
distinguished/clarified.

 *insecure* wide links is much more clear, although the detail you've given 
helps a lot.

What exactly is the "ordinary" "wide links = yes" option
going to do (with
or without Unix extensions), and how does it compare/how much exposure to 
mischief does it expose?


On 28 February 2018 18:20:02 Jeremy Allison <jra at samba.org> wrote:
> On Wed, Feb 28, 2018 at 01:39:09PM +0000, Stilez via samba wrote:
>> I'd like to understand reasonably fully,, the difference between
the two
>> options "wide links" and "allow insecure wide
links" in smb.conf. The docs
>> make them sound very similar but as there are obvious security
implications
>> for anything to do with symlink scope, it's important to know what
each of
>> them allows/blocks and where they differ.
>
> Setting "allow insecure wide links" to true allows
> clients to create SMB1 UNIX extension symlinks on
> the server filesystem that *THE SERVER WILL FOLLOW*.
>
> You can see why this is a problem. The SMB2 UNIX
> extensions will eliminate this possibility by
> changing client-stored symlinks into a datastore
> that the server will never follow. SMB2 UNIX extensions
> are currently being coded up as a test branch (not
> even experimental yet).

On Wed, Feb 28, 2018 at 07:30:45PM +0000, Stilez wrote:
> Thanks - that much I (pretty much) got.
> 
> Its really the "wide links" option that isn't well
distinguished/clarified.
> 
> *insecure* wide links is much more clear, although the detail you've
given
> helps a lot.
> 
> What exactly is the "ordinary" "wide links = yes"
option going to do (with
> or without Unix extensions), and how does it compare/how much exposure to
> mischief does it expose?
"ordinary" "wide links = yes" means the
server will follow symlinks on the file
system that point outside the root of the
share definition. If set to off (default),
the server will refuse to follow symlinks
that point outside of the root of the
share definition, but will follow symlinks
that point within the share.

If this is turned on, it disables SMB1
unix extensions (which allow symlinks
to be created by the client) unless
"insecure wide links" is *also* turned
on.

Thank you.

So, If I understand correctly, "ordinary" "wide links =
yes", means Samba
*will* traverse an existing symlink that points outside the root of the 
share, if permissions allow. However because it *also* disables SMB1 Unix 
extensions, it *also* prevents the user from creating or modifying symlinks 
on the share, so in wffect it inherently prevents this being exploited 
unless an insecure symlink already exists or is created by some *other* 
route. And thus, that enabling "insecure" wide links simply  removes
that
safeguard.

If that's right, my clarification questions are

1) does this mean that configs containing "ordinary" wide link = yes
might
become a risk, when SMB2 style functionality eventually lands, or will it 
presumably be mitigated or remain unchanged from a security perspective at 
that time, as far as is known?

2) when you say in your reply, that "ordinary" wide links enabled 
"means
the server will follow symlinks **on the file system*" that point outside 
the root of the share definition", do you in fact mean that it is also 
barred from crossing a device boundary onto another device (similar to 
"ls|rm|find -x", using stat to determine same file system), or
something
else (in which case what?)

Thanks for the help!

Last thing - how can this helpful info added to smb.conf doc/man pages 
where it might help others?

Stilez



On 28 February 2018 19:48:37 Jeremy Allison <jra at samba.org> wrote:
> On Wed, Feb 28, 2018 at 07:30:45PM +0000, Stilez wrote:
>> Thanks - that much I (pretty much) got.
>>
>> Its really the "wide links" option that isn't well
distinguished/clarified.
>>
>> *insecure* wide links is much more clear, although the detail
you've given
>> helps a lot.
>>
>> What exactly is the "ordinary" "wide links = yes"
option going to do (with
>> or without Unix extensions), and how does it compare/how much exposure
to
>> mischief does it expose?
>
> "ordinary" "wide links = yes" means the
> server will follow symlinks on the file
> system that point outside the root of the
> share definition. If set to off (default),
> the server will refuse to follow symlinks
> that point outside of the root of the
> share definition, but will follow symlinks
> that point within the share.
>
> If this is turned on, it disables SMB1
> unix extensions (which allow symlinks
> to be created by the client) unless
> "insecure wide links" is *also* turned
> on.