After an upgrade, I got re-bitten by the 'unix-extensions and
wide links' incompat. (They used to be compat but were made
incompat in the 3.4.x timeframe due to security concerns).
At the time it was suggested I write a patch complete
with documentation to describe the fix. The below
seems to fit the bill. I was wondering what people thought
about it's inclusion in future versions...
I'd call this a "proto-patch" since it is against my distro's (opensuse)
source RPM for 3.5.7... First the description, and then the patch.
I think it sufficiently describes the security concerns that were
presented at the time, as well.
Sufficient?
Linda
client managed wide links (G)
This options can allow clients to manage the 'wide links'
created on a server. It enables this by permitting 'unix
extensions' and 'wide links' to be true at the same time in the
same config. Management is only enabled if 'unix extensions' is
also true, and 'wide links' only function when enabled on a
per-share basis.
This creates similar security issues as allowing the same userid
to have a local account on the server. (where they could then
create/manage wide links). As a local user, they can create
symlinks in any directory they have access to that can point to
any inode (file, dir, dev, etc...) on the server.
If your users have local accounts on the server, this option
should not cause any decrease in security, as links created
through 'unix extensions' by a client are subject to normal file
and share restrictions. This does mean, though, if a user is in
the 'Domain Admins' group on the server, they can likely manage
links on any writable share.
Default: client managed wide links = no
---
patch:
--- source3/param/loadparm.c.orig 2011-02-27 09:42:19.000000000 -0800
+++ source3/param/loadparm.c 2011-06-09 16:53:19.192163402 -0700
@@ -334,6 +334,7 @@
bool bHostMSDfs;
bool bUseMmap;
bool bHostnameLookups;
+ bool bClientManagedWidelinks;
bool bUnixExtensions;
bool bDisableNetbios;
char * szDedicatedKeytabFile;
@@ -939,6 +940,15 @@
.flags = FLAG_ADVANCED
},
{
+ .label = "client managed wide links",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bClientManagedWidelinks,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED
+ },
+ {
.label = "unix charset",
.type = P_STRING,
.p_class = P_GLOBAL,
@@ -5085,6 +5095,7 @@
#else
Globals.bUseMmap = True;
#endif
+ Globals.bClientManagedWidelinks = False;
Globals.bUnixExtensions = True;
Globals.bResetOnZeroVC = False;
Globals.bCreateKrb5Conf = true;
@@ -5535,6 +5546,7 @@
FN_GLOBAL_BOOL(lp_enhanced_browsing, &Globals.enhanced_browsing)
FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
+FN_GLOBAL_BOOL(lp_client_managed_widelinks, &Globals.bClientManagedWidelinks)
FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
@@ -9905,6 +9917,7 @@
void widelinks_warning(int snum)
{
+ if (lp_client_managed_widelinks()) return;
if (lp_unix_extensions() && lp_widelinks_internal(snum)) {
DEBUG(0,("Share '%s' has wide links and unix extensions enabled.
"
"These parameters are incompatible. "
@@ -9915,10 +9928,9 @@
bool lp_widelinks(int snum)
{
- /* wide links is always incompatible with unix extensions */
- if (lp_unix_extensions()) {
- return false;
- }
- return lp_widelinks_internal(snum);
+ if (lp_client_managed_widelinks()
+ || !lp_unix_extensions()) return lp_widelinks_internal(snum);
+
+ return false;
}
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
