Am 1/18/21 um 11:41 AM schrieb Giuseppe Lo Presti via samba:> Following an old thread at [1] I wonder whether there's been any > thought/plan to implement symbolic links loop detection in smbd.what do you mean? smbd will detect loops because the kernel tells us about loops with ELOOP. There's an additional twist in the open code path where we implement secure symlink deferrals avoiding share escape. This code has a limit of following 20 symlinks before it gives up. What's missing?> This was seen on our setup with Samba 4.11.16, and for now we have > deployed a workaround in our own filesystem implementation to stop the > looping (by essentially hiding symlinks that point up the hierarchy, so > Windows clients would not have a chance to loop on them). But I guess it > would be nice if symlinks can be fully supported (i.e. keeping `follow > symlinks = yes` whilst detecting loops), compensating the lack of > support from Windows.I hate to say it, but symlinks are fully supported.> From that thread it seems Jeremy had some ideas, not sure how this went > and whether there's some option I've missed that would do the trick.This is still being worked (SMB2 UNIX Extensions that is) -- any help is welcome! :) -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210118/9f48a2d6/OpenPGP_signature.sig>
On 18/01/2021 11:58, Ralph Boehme wrote:> Am 1/18/21 um 11:41 AM schrieb Giuseppe Lo Presti via samba: >> Following an old thread at [1] I wonder whether there's been any >> thought/plan to implement symbolic links loop detection in smbd. > > what do you mean? smbd will detect loops because the kernel tells us > about loops with ELOOP.Well, that's what I hoped, but facts match what Jeremy mentioned at the time: > the clients will see them [symlinks] as nested directories and request > the server to follow them until the OS runs out of recursion > depth and returns errors. So no ELOOP is triggered, and requests just keep piling up from the client. To reproduce, just create a link to '.' in a shared folder with `follow symlinks = yes` and look at its properties from Windows (or copy it over, but be ready to clean up the mess afterwards...).>> ?From that thread it seems Jeremy had some ideas, not sure how this >> went and whether there's some option I've missed that would do the trick. > > This is still being worked (SMB2 UNIX Extensions that is) -- any help is > welcome! :)Good to know, thanks! :) Giuseppe