Web lists-archives.com

Re: [Samba] Wide links and insecure wide links

Thanks - that much I (pretty much) got.

Its really the "wide links" option that isn't well distinguished/clarified.

*insecure* wide links is much more clear, although the detail you've given helps a lot.

What exactly is the "ordinary" "wide links = yes" option going to do (with or without Unix extensions), and how does it compare/how much exposure to mischief does it expose?

On 28 February 2018 18:20:02 Jeremy Allison <jra@xxxxxxxxx> wrote:

On Wed, Feb 28, 2018 at 01:39:09PM +0000, Stilez via samba wrote:
I'd like to understand reasonably fully,, the difference between the two
options "wide links" and "allow insecure wide links" in smb.conf. The docs
make them sound very similar but as there are obvious security implications
for anything to do with symlink scope, it's important to know what each of
them allows/blocks and where they differ.

Setting "allow insecure wide links" to true allows
clients to create SMB1 UNIX extension symlinks on
the server filesystem that *THE SERVER WILL FOLLOW*.

You can see why this is a problem. The SMB2 UNIX
extensions will eliminate this possibility by
changing client-stored symlinks into a datastore
that the server will never follow. SMB2 UNIX extensions
are currently being coded up as a test branch (not
even experimental yet).

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba