Hi,
I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS
version.
Here is my smb.conf file:
[global]
# configuration du serveur
netbios name = scribe
workgroup = dompedago
server string = scribe
preferred master = yes
domain logons = yes
security = user
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap suffix = o=gouv,c=fr
ldap admin dn = cn=admin,o=gouv,c=fr
ldap ssl = no
domain master = yes
os level = 99
admin users = @DomainAdmins
encrypt passwords = yes
unix extensions = no
wide links = yes
[perso]
path = %H/perso
read only = no
valid users = %U
write list = %U
In this share, I've a symlink to a directory ouside this share.
I've this error:
check_reduced_name_with_privilege: Bad access attempt: esu is a symlink
outside the share path
Option "wide links" is turn to "Yes", so we could access to
this directory.
If I set "enable privileges" to "No" in Global section, all
works fine.
When I read source code, I can see that check_reduced_name function
check widelinks option but not check_reduced_name_with_privilege one's.
Is "wide links" is inconsistent with privileges? I can't see
information
about this behaviour.
Regards,
>From : man smb.conf ....G is a Global setting S is a share setting. unix extensions (G) allow insecure wide links (G) wide links (S) follow symlinks (S) In global add: allow insecure wide links = yes on the share add : wide links = yes follow symlinks = yes Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette > Verzonden: dinsdag 22 december 2015 11:10 > Aan: samba at lists.samba.org > Onderwerp: [Samba] wide links and privileges > > Hi, > > I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS > version. > > Here is my smb.conf file: > > [global] > # configuration du serveur > netbios name = scribe > workgroup = dompedago > server string = scribe > preferred master = yes > domain logons = yes > security = user > ldap passwd sync = yes > passdb backend = ldapsam:ldap://127.0.0.1:389 > ldap suffix = o=gouv,c=fr > ldap admin dn = cn=admin,o=gouv,c=fr > ldap ssl = no > domain master = yes > os level = 99 > admin users = @DomainAdmins > encrypt passwords = yes > unix extensions = no > wide links = yes > > [perso] > path = %H/perso > read only = no > valid users = %U > write list = %U > > In this share, I've a symlink to a directory ouside this share. > > I've this error: > > check_reduced_name_with_privilege: Bad access attempt: esu is a symlink > outside the share path > > Option "wide links" is turn to "Yes", so we could access to this > directory. > > If I set "enable privileges" to "No" in Global section, all works fine. > > When I read source code, I can see that check_reduced_name function > check widelinks option but not check_reduced_name_with_privilege one's. > > Is "wide links" is inconsistent with privileges? I can't see information > about this behaviour. > > Regards, > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Le 22/12/2015 11:22, L.P.H. van Belle a écrit :> From : man smb.conf .... > > G is a Global setting > S is a share setting. > > unix extensions (G) > allow insecure wide links (G) > wide links (S) > follow symlinks (S) > > In global add: > allow insecure wide links = yesNot usefull (unix extension is set to "No"). I've tried to set this option, has expected, there is no differents.> > > on the share add : > wide links = yes > follow symlinks = yesThose options has no effect (smbd said those option are already set to "Yes" in this shared). As I said, I only need to turn "enable extesions" to "No". Regards,> > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette >> Verzonden: dinsdag 22 december 2015 11:10 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] wide links and privileges >> >> Hi, >> >> I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS >> version. >> >> Here is my smb.conf file: >> >> [global] >> # configuration du serveur >> netbios name = scribe >> workgroup = dompedago >> server string = scribe >> preferred master = yes >> domain logons = yes >> security = user >> ldap passwd sync = yes >> passdb backend = ldapsam:ldap://127.0.0.1:389 >> ldap suffix = o=gouv,c=fr >> ldap admin dn = cn=admin,o=gouv,c=fr >> ldap ssl = no >> domain master = yes >> os level = 99 >> admin users = @DomainAdmins >> encrypt passwords = yes >> unix extensions = no >> wide links = yes >> >> [perso] >> path = %H/perso >> read only = no >> valid users = %U >> write list = %U >> >> In this share, I've a symlink to a directory ouside this share. >> >> I've this error: >> >> check_reduced_name_with_privilege: Bad access attempt: esu is a symlink >> outside the share path >> >> Option "wide links" is turn to "Yes", so we could access to this >> directory. >> >> If I set "enable privileges" to "No" in Global section, all works fine. >> >> When I read source code, I can see that check_reduced_name function >> check widelinks option but not check_reduced_name_with_privilege one's. >> >> Is "wide links" is inconsistent with privileges? I can't see information >> about this behaviour. >> >> Regards, >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >-- Emmanuel Garette Ingénieur logiciels libres Cadoles (http://www.cadoles.com) Experts EOLE, Gaspacho, logiciels libres
Le 22/12/2015 11:10, Emmanuel Garette a écrit :> Hi, > > I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS > version. > [..] > If I set "enable privileges" to "No" in Global section, all works fine.Hi, Anyone could explain why I need to set "enable privileges" to "No" to follow symlinks ? Regards> > Regards, >-- Emmanuel Garette Ingénieur logiciels libres Cadoles (http://www.cadoles.com) Experts EOLE, Gaspacho, logiciels libres
>From : man smb.confWhich explains it self. enable privileges (G) This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user. An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd. Please read the extended description provided in the Samba HOWTO documentation. Default: enable privileges = yes> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette > Verzonden: maandag 4 januari 2016 9:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] wide links and privileges > > Le 22/12/2015 11:10, Emmanuel Garette a écrit : > > Hi, > > > > I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS > > version. > > [..] > > If I set "enable privileges" to "No" in Global section, all works fine. > Hi, > > Anyone could explain why I need to set "enable privileges" to "No" to > follow symlinks ? > > Regards > > > > Regards, > > > > > -- > Emmanuel Garette > Ingénieur logiciels libres > > Cadoles (http://www.cadoles.com) > Experts EOLE, Gaspacho, logiciels libres > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Le 04/01/2016 09:11, L.P.H. van Belle a écrit :> From : man smb.conf > > Which explains it self. > > enable privileges (G) > [..]Hi, Thank you for your answer, would you mind if I ask for some more help ? I'm sorry I don't understand exactly why you told me to look at the `enable privileges` parameter in the man pages as an answer. I have already closely read the documentation and even had a glance at the samba's source code, and there is absolutely no mention of a possible conflict between the `enable privileges` parameter and the `wide links` parameter. Let me show you something in the samba's source code: The function which interests us here deals with the file names, there is an `if` statement: source3/smbd/filename.c: ``` * @param smbreq SMB request if we're using privileges. [...] if (!smbreq) { status = check_name(conn, (*pp_smb_fname)->base_name); } else { status = check_name_with_privilege(conn, smbreq, (*pp_smb_fname)->base_name); } ``` which redirects us to the `check_name` or the `check_name_with_privilege` function. which themselves respectively redirects to the `check_reduced_name` and `check_reduced_name_with_privilege` functions: source3/smbd/vfs.c: ``` NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) [...] /* Common widelinks and symlinks checks. */ if (!allow_widelinks || !allow_symlinks) { [...] if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) { DEBUG(2, ("check_reduced_name: Bad access " "attempt: %s is a symlink outside the " "share path\n", fname)); ``` and ``` NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, const char *fname, struct smb_request *smbreq) [...] if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) { DEBUG(2, ("check_reduced_name_with_privilege: Bad access " "attempt: %s is a symlink outside the " "share path\n", dir_name)); ``` We can see that in the first function there is a test on the `allow_widelinks` local variable, whereas this test doesn't exist in the second function. Which seems to mean that in the first case it works, whereas in the second case **it doesn't work**... Anyway, my question is: are you guys really positive on the fact that it is supposed to work fine if the `enable privileges` parameter is set to `yes`? Thank you in advance. Cheers, -- Emmanuel Garette Ingénieur logiciels libres Cadoles (http://www.cadoles.com) Experts EOLE, Gaspacho, logiciels libres
Hai, I use the following on one of my member servers. Put set these three in your global smb.conf. enable privileges = Yes unix extensions = No allow insecure wide links = Yes And on the share i have set. wide links = yes follow symlinks = yes and this is working for years for me. Try these and report back. If its not working tell us you OS and samba version Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette > Verzonden: woensdag 6 januari 2016 11:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] wide links and privileges > > Le 04/01/2016 09:11, L.P.H. van Belle a écrit : > > From : man smb.conf > > > > Which explains it self. > > > > enable privileges (G) > > [..] > > Hi, > > Thank you for your answer, would you mind if I ask for some more help ? > I'm sorry I don't understand exactly why you told me to look at the > `enable privileges` parameter in the man pages as an answer. > I have already closely read the documentation and even had a glance at > the samba's source code, and there is absolutely no mention of a > possible conflict between the `enable privileges` parameter and the > `wide links` parameter. Let me show you something in the samba's source > code: > > The function which interests us here deals with the file names, there is > an `if` statement: > > source3/smbd/filename.c: > ``` > * @param smbreq SMB request if we're using privileges. > [...] > if (!smbreq) { > status = check_name(conn, (*pp_smb_fname)->base_name); > } else { > status = check_name_with_privilege(conn, smbreq, > (*pp_smb_fname)->base_name); > } > ``` > > which redirects us to the `check_name` or the > `check_name_with_privilege` function. > which themselves respectively redirects to the `check_reduced_name` and > `check_reduced_name_with_privilege` functions: > > source3/smbd/vfs.c: > ``` > NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) > [...] > /* Common widelinks and symlinks checks. */ > if (!allow_widelinks || !allow_symlinks) { > [...] > if (strncmp(conn_rootdir, resolved_name, > rootdir_len) != 0) { > DEBUG(2, ("check_reduced_name: Bad access " > "attempt: %s is a symlink outside the " > "share path\n", fname)); > > ``` > and > > ``` > NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, > const char *fname, > struct smb_request *smbreq) > [...] > if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) { > DEBUG(2, ("check_reduced_name_with_privilege: Bad access " > "attempt: %s is a symlink outside the " > "share path\n", > dir_name)); > ``` > > We can see that in the first function there is a test on the > `allow_widelinks` local variable, whereas this test doesn't exist in the > second function. > Which seems to mean that in the first case it works, whereas in the > second case **it doesn't work**... > > Anyway, my question is: are you guys really positive on the fact that it > is supposed to work fine if the `enable privileges` parameter is set to > `yes`? > Thank you in advance. > Cheers, > > -- > Emmanuel Garette > Ingénieur logiciels libres > > Cadoles (http://www.cadoles.com) > Experts EOLE, Gaspacho, logiciels libres > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba