On Wed, Mar 03, 2010 at 02:29:47PM -0500, Brother Railgun of Reason wrote: > On Wed, Mar 03, 2010 at 11:25:03AM -0800, Jeremy Allison wrote: > > On Wed, Mar 03, 2010 at 01:58:58PM -0500, Brother Railgun of Reason wrote: > > > > > This can be interpreted either of two ways. Do you mean that you think > > > users should not be able to *enable* following wide symlinks (which I > > > understand to mean symbolic links whose target is located outside the > > > share), or should not be able to *disable* it? > > > > Users should not be able to enable following wide symlinks > > if "unix extensions = yes" (which means that symlinks can > > be dynamically created by clients). > > > > That's the basis of the security problem. > > > > If you want to allow both following wide symlinks > > and arbitrary client creation of symlinks then > > you need to change the code and recompile, as > > the combination is inherently unsafe. > > > Ahhh. That makes sense. I didn't know there was a capability for > Windows clients to be able to create Unix symlinks on a Samba share.
Windows clients can't create them using the Windows redirector, but anyone can download a clietn library (a port of smbclient to windows) that would allow users to do this. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
