Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] wide links and privileges
92 views
Skip to first unread message
Emmanuel Garette
Dec 22, 2015, 5:20:03 AM12/22/15
to
Hi,
I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS
version.
Here is my smb.conf file:
[global]
# configuration du serveur
netbios name = scribe
workgroup = dompedago
server string = scribe
preferred master = yes
domain logons = yes
security = user
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap suffix = o=gouv,c=fr
ldap admin dn = cn=admin,o=gouv,c=fr
ldap ssl = no
domain master = yes
os level = 99
admin users = @DomainAdmins
encrypt passwords = yes
unix extensions = no
wide links = yes
[perso]
path = %H/perso
read only = no
valid users = %U
write list = %U
In this share, I've a symlink to a directory ouside this share.
I've this error:
check_reduced_name_with_privilege: Bad access attempt: esu is a symlink
outside the share path
Option "wide links" is turn to "Yes", so we could access to this directory.
If I set "enable privileges" to "No" in Global section, all works fine.
When I read source code, I can see that check_reduced_name function
check widelinks option but not check_reduced_name_with_privilege one's.
Is "wide links" is inconsistent with privileges? I can't see information
about this behaviour.
Regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS
version.
Here is my smb.conf file:
[global]
# configuration du serveur
netbios name = scribe
workgroup = dompedago
server string = scribe
preferred master = yes
domain logons = yes
security = user
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap suffix = o=gouv,c=fr
ldap admin dn = cn=admin,o=gouv,c=fr
ldap ssl = no
domain master = yes
os level = 99
admin users = @DomainAdmins
encrypt passwords = yes
unix extensions = no
wide links = yes
[perso]
path = %H/perso
read only = no
valid users = %U
write list = %U
In this share, I've a symlink to a directory ouside this share.
I've this error:
check_reduced_name_with_privilege: Bad access attempt: esu is a symlink
outside the share path
Option "wide links" is turn to "Yes", so we could access to this directory.
If I set "enable privileges" to "No" in Global section, all works fine.
When I read source code, I can see that check_reduced_name function
check widelinks option but not check_reduced_name_with_privilege one's.
Is "wide links" is inconsistent with privileges? I can't see information
about this behaviour.
Regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
Dec 22, 2015, 5:30:03 AM12/22/15
to
From : man smb.conf ....
G is a Global setting
S is a share setting.
unix extensions (G)
allow insecure wide links (G)
wide links (S)
follow symlinks (S)
In global add:
allow insecure wide links = yes
on the share add :
wide links = yes
follow symlinks = yes
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Emmanuel Garette
> Verzonden: dinsdag 22 december 2015 11:10
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] wide links and privileges
G is a Global setting
S is a share setting.
unix extensions (G)
allow insecure wide links (G)
wide links (S)
follow symlinks (S)
In global add:
allow insecure wide links = yes
on the share add :
wide links = yes
follow symlinks = yes
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Emmanuel Garette
> Verzonden: dinsdag 22 december 2015 11:10
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] wide links and privileges
Emmanuel Garette
Dec 22, 2015, 5:40:04 AM12/22/15
to
Le 22/12/2015 11:22, L.P.H. van Belle a écrit :
> From : man smb.conf ....
>
> G is a Global setting
> S is a share setting.
>
> unix extensions (G)
> allow insecure wide links (G)
> wide links (S)
> follow symlinks (S)
>
> In global add:
> allow insecure wide links = yes
Not usefull (unix extension is set to "No"). I've tried to set this
> From : man smb.conf ....
>
> G is a Global setting
> S is a share setting.
>
> unix extensions (G)
> allow insecure wide links (G)
> wide links (S)
> follow symlinks (S)
>
> In global add:
> allow insecure wide links = yes
option, has expected, there is no differents.
>
>
> on the share add :
> wide links = yes
> follow symlinks = yes
Those options has no effect (smbd said those option are already set to
>
> on the share add :
> wide links = yes
> follow symlinks = yes
"Yes" in this shared).
As I said, I only need to turn "enable extesions" to "No".
Regards,
Ingénieur logiciels libres
Cadoles (http://www.cadoles.com)
Experts EOLE, Gaspacho, logiciels libres
Emmanuel Garette
Jan 4, 2016, 3:10:04 AM1/4/16
to
Le 22/12/2015 11:10, Emmanuel Garette a écrit :
> Hi,
>
> I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS
> version.
> [..]
> Hi,
>
> I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS
> version.
> If I set "enable privileges" to "No" in Global section, all works fine.
Hi,
Anyone could explain why I need to set "enable privileges" to "No" to
follow symlinks ?
Regards
>
> Regards,
>
--
Emmanuel Garette
Ingénieur logiciels libres
Cadoles (http://www.cadoles.com)
Experts EOLE, Gaspacho, logiciels libres
--
Emmanuel Garette
Ingénieur logiciels libres
Cadoles (http://www.cadoles.com)
Experts EOLE, Gaspacho, logiciels libres
L.P.H. van Belle
Jan 4, 2016, 3:20:04 AM1/4/16
to
From : man smb.conf
Which explains it self.
enable privileges (G)
This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and
group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges
to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user.
An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via
smbd.
Please read the extended description provided in the Samba HOWTO documentation.
Default: enable privileges = yes
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Emmanuel Garette
> Verzonden: maandag 4 januari 2016 9:02
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] wide links and privileges
Which explains it self.
enable privileges (G)
This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and
group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges
to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user.
An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via
smbd.
Please read the extended description provided in the Samba HOWTO documentation.
Default: enable privileges = yes
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Emmanuel Garette
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] wide links and privileges
Emmanuel Garette
Jan 6, 2016, 5:20:03 AM1/6/16
to
Le 04/01/2016 09:11, L.P.H. van Belle a écrit :
> From : man smb.conf
>
> Which explains it self.
>
> enable privileges (G)
> [..]
> From : man smb.conf
>
> Which explains it self.
>
> enable privileges (G)
Hi,
Thank you for your answer, would you mind if I ask for some more help ?
I'm sorry I don't understand exactly why you told me to look at the
`enable privileges` parameter in the man pages as an answer.
I have already closely read the documentation and even had a glance at
the samba's source code, and there is absolutely no mention of a
possible conflict between the `enable privileges` parameter and the
`wide links` parameter. Let me show you something in the samba's source
code:
The function which interests us here deals with the file names, there is
an `if` statement:
source3/smbd/filename.c:
```
* @param smbreq SMB request if we're using privileges.
[...]
if (!smbreq) {
status = check_name(conn, (*pp_smb_fname)->base_name);
} else {
status = check_name_with_privilege(conn, smbreq,
(*pp_smb_fname)->base_name);
}
```
which redirects us to the `check_name` or the
`check_name_with_privilege` function.
which themselves respectively redirects to the `check_reduced_name` and
`check_reduced_name_with_privilege` functions:
source3/smbd/vfs.c:
```
NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
[...]
/* Common widelinks and symlinks checks. */
if (!allow_widelinks || !allow_symlinks) {
[...]
if (strncmp(conn_rootdir, resolved_name,
rootdir_len) != 0) {
DEBUG(2, ("check_reduced_name: Bad access "
"attempt: %s is a symlink outside the "
"share path\n", fname));
```
and
```
NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
const char *fname,
struct smb_request *smbreq)
[...]
if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
"attempt: %s is a symlink outside the "
"share path\n",
dir_name));
```
We can see that in the first function there is a test on the
`allow_widelinks` local variable, whereas this test doesn't exist in the
second function.
Which seems to mean that in the first case it works, whereas in the
second case **it doesn't work**...
Anyway, my question is: are you guys really positive on the fact that it
is supposed to work fine if the `enable privileges` parameter is set to
`yes`?
Thank you in advance.
Cheers,
Rowland penny
Jan 6, 2016, 6:00:04 AM1/6/16
to
this will then make samba use the default 'unix extensions = yes' and I
am fairly sure your problem will go away, but you are opening a security
hole.
Rowland
L.P.H. van Belle
Jan 6, 2016, 6:10:05 AM1/6/16
to
Hai,
I use the following on one of my member servers.
Put set these three in your global smb.conf.
enable privileges = Yes
unix extensions = No
allow insecure wide links = Yes
And on the share i have set.
Try these and report back.
If its not working tell us you OS and samba version
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Emmanuel Garette
> Verzonden: woensdag 6 januari 2016 11:09
I use the following on one of my member servers.
Put set these three in your global smb.conf.
enable privileges = Yes
unix extensions = No
allow insecure wide links = Yes
And on the share i have set.
wide links = yes
follow symlinks = yes
and this is working for years for me.
follow symlinks = yes
Try these and report back.
If its not working tell us you OS and samba version
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Emmanuel Garette
David Bear
Jan 6, 2016, 11:40:04 PM1/6/16
to
I was just going through this and thought the security issues made for too
many unknowns for directory traversal outside of what I want samba sharing.
So have you consider a bind mount ? if you have some file system mounted at
/mnt/somefilesystem
and in somfilesystem you have /somefolder/subfolder
you can do a mount --bind /mnt/somefilesystem/somefolder/subfolder
/home/magicbind
and get all the benefits of having magicbind point to some other subfolder
like a symlink but without security issues of a wide link traversal.
I'm new to bind mounts so I don't know what security risks are associated
with them, but they seem like a better alternative than allowing a wide
link.
--
David Bear
mobile: (602) 903-6476
many unknowns for directory traversal outside of what I want samba sharing.
So have you consider a bind mount ? if you have some file system mounted at
/mnt/somefilesystem
and in somfilesystem you have /somefolder/subfolder
you can do a mount --bind /mnt/somefilesystem/somefolder/subfolder
/home/magicbind
and get all the benefits of having magicbind point to some other subfolder
like a symlink but without security issues of a wide link traversal.
I'm new to bind mounts so I don't know what security risks are associated
with them, but they seem like a better alternative than allowing a wide
link.
David Bear
mobile: (602) 903-6476
L.P.H. van Belle
Jan 7, 2016, 4:00:04 AM1/7/16
to
Yes, mount bind is an option also.
But in my case i have script running which autocreated symlinks to file/folders spread over multiple servers.
And the symlinks are created in the user homedir, and general data folders.
Which makes a mount bind much more resource full.
In my case i need about 180 mount binds.. :-/ which remounts to different files/folders very day.
Greetz,
Louis
But in my case i have script running which autocreated symlinks to file/folders spread over multiple servers.
And the symlinks are created in the user homedir, and general data folders.
Which makes a mount bind much more resource full.
In my case i need about 180 mount binds.. :-/ which remounts to different files/folders very day.
Greetz,
Louis
Reindl Harald
Jan 7, 2016, 5:40:03 AM1/7/16
to
Am 07.01.2016 um 09:56 schrieb L.P.H. van Belle:
> Yes, mount bind is an option also.
>
> But in my case i have script running which autocreated symlinks to file/folders spread over multiple servers.
>
> And the symlinks are created in the user homedir, and general data folders.
>
> Which makes a mount bind much more resource full.
>
> In my case i need about 180 mount binds.. :-/ which remounts to different files/folders very day.
in a script - we have scripted 155 bind-mounts at boot to replace FTP
with chrooted sftp on port 22 reused in the LAN with Samba
the main difference is just that you need to create the empty directory
for the mountpoint if it does not exist and get rid of it when it's no
longer used
0 new messages