Re: [Samba] can't turn on wide links in homedir
simo wrote: On Wed, 2011-09-14 at 18:16 -0700, Linda Walsh wrote: Jeremy Allison wrote: I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, People widely regarded the earth as flat and ... well sometime ago, as in some areas, as only 6000 years old... Did you know the greks (150 BC and earlier) knew perfectly well the earth was round and calculated things like the radius of the earth with decent accuracy for the means and things like the precession ? Sometimes people walk backward :) Science and reason almost always suffer in the face of 'mass (pun?) opinion' (or wide regard, as the case may be)... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
On Thu, 2011-09-15 at 09:11 -0700, Linda Walsh wrote: simo wrote: On Wed, 2011-09-14 at 18:16 -0700, Linda Walsh wrote: Jeremy Allison wrote: I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, People widely regarded the earth as flat and ... well sometime ago, as in some areas, as only 6000 years old... Did you know the greks (150 BC and earlier) knew perfectly well the earth was round and calculated things like the radius of the earth with decent accuracy for the means and things like the precession ? Sometimes people walk backward :) Science and reason almost always suffer in the face of 'mass (pun?) opinion' (or wide regard, as the case may be)... So glad we are not on the mass side then :-p Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
Jeremy Allison wrote: We needed to make it impossible to configure Samba insecurely. At the time this was proposed, it was posted to the list and no dissenting voices were heard. --- Not exactly true -- as soon as this feature was available for testing in a downloadable package, there were dissenting voices. Proposing patches or changes on 1 product that one is responsible for, out of the 100's to 1000's of packages (over 3600 on one machine I just checked), that people use on their machines, AND expecting any representative or informed response from those that will affected by such a patch, is provincial, at best. When people were hit by this remote-management disabling patch, in the first release that included it, there was, there was notable dissent. dissent. It improved server security in the same way that ANY disabling of remote- administration abilities will 'improve' server security -- i.e. it may or it may result in creating worse problems. The 'bug'[sic], was that a user could create a symlink in their home dir to point to /etc/passwd. Using that, they could allow /etc/passd to be readable by anyone who had pass-through access on the user's home dir, and the ability to read /etc/passwd. However, users who have their home directory on the server, as in one some of the samba-suggested configurations where *nix security is controlled by a samba PDC, could always manage symlinks remotely via ssh. If a site expected users to be able to use directed links in specfic shares, they could turn on wide-links for the share that needs them (on which USERS may have no write access), while on user-writable shares, wide-links would not be enabled. This would be the expected way someone would manage this feature. But limiting wide links to non-user-writeable shares was considered too difficult for people to figure out. And somehow, allowing wide-links to function, ONLY on non-user-write-able shares was considered 'insecure' (how?). Even though there was an easy solution t0 the problem, the solution was server-wide disabling of wide-links on all shares, if unix extensions were enabled --- something that did more harm than good and likely *created* 'insecure samba configurations', for sites that needed that functionality by had to work around it.. Contrary to the assertion that server-wide disabling of 'wide links' (an imprecise and non descriptive term that probably led to the problem that arose in the first place!) resulted in disallowing 'insecure configurations', It created some configs that were more secure, AND some configs that were less secure. Now there is the strong possiblity of another option with another bad name being added to get around previously ill-chosen named options in order to allow 're-hardening' of security on sites that were 'made less secure' the original disabling patch. ARG!... I would like to put forth a possible alternative for consideration (perhaps a bit late in the game), though perhaps a goal for a release in the near future. Better to say someting that be accused later of saying nothing... Immediate: - Revert the original patch. - deprecate 'wide links'. - add new, descriptive term: allow symlinks outside share boundaries = (yes/no) Or, longer term solution might be to add: permitted symlink targets = ... veto symlink targets = ... e.g. permitted symlink targets = / veto symlink targets = /etc /proc /sbin /dev /root /tmp or permitted symlink targets = /home /Share /backup /bin ... (excluding /etc, thus passwd, for example). Claiming that some options are 'insecure' - when used correctly is confusing, as it leads one to wonder why is it that an option that is not insecure on linux, IS insecure on samba...are there bugs in samba that make it more insecure? Certainly, if options are unclear, then they should be renamed over time. Through a @allow_compat prev version options could be immediately deprecated, and 're-allowed' for 2-3 releases (or some fixed time). But going with descriptions that label 'useful (and used) features' as insecure, when the opposite may be true for a given site is bound to cause confusion and a desire to give multitudes of *worse* ways the samba can be be abused even though it is claimed that it is impossible to configure it insecurely... I'm sure that wouldn't be appreciated, bug some might feel a need to relate such configs, purely so that every useful samba config (or option) can be prohibited in the name of protecting us... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
On Wed, Sep 14, 2011 at 03:37:11PM -0700, Linda Walsh wrote: I would like to put forth a possible alternative for consideration (perhaps a bit late in the game), though perhaps a goal for a release in the near future. Better to say someting that be accused later of saying nothing... Linda, you're flogging a dead horse. The code you wanted is in, even though it has a name you don't like. Declare victory and move on. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
But what if we didn't need the option in the first place? (i.e. the workaround code?)... Wouldn't it make for a cleaner implementation to not add a hack on top of a hack? I'm a perfectionist -- just just a it'll do type...that's why I tend to persist. Though if you aren't interested, you aren't interested... What name did you choose anyway? I'm not sure why I should declare victory... It's not about a battle...it's about doing the best one can -- but there is no triumph ... of a over b. or such.. I don't find such to ever be a valuable attitude (though many people engage in 'win/lose' stuff). I prefer not to. I think the above reasons are partly why I get misinterpreted at times... (that and the seemingly opposite 'lack of attention to detail -- a case of overfocusing on one part of a problem (or the whole problem) and therefore missing pieces...it happens. I don't feel like I won because you didn't feel good about adding the option even though you got to make it a silly name. I don't think you felt good about adding the option, but assuaged yourself with naming it something belligerent to users rather than descriptively and neutrally, (something I don't think appropriate in a user interface of the sort samba presents), which really -- did that make you feel 'ok' with adding the option? If not, I didn't win. I feel that I failed to communicate with you. But that's me and my warped definitions... Jeremy Allison wrote: On Wed, Sep 14, 2011 at 03:37:11PM -0700, Linda Walsh wrote: I would like to put forth a possible alternative for consideration (perhaps a bit late in the game), though perhaps a goal for a release in the near future. Better to say someting that be accused later of saying nothing... Linda, you're flogging a dead horse. The code you wanted is in, even though it has a name you don't like. Declare victory and move on. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
On Wed, Sep 14, 2011 at 04:28:43PM -0700, Linda W wrote: I don't think you felt good about adding the option, but assuaged yourself with naming it something belligerent to users rather than descriptively and neutrally, (something I don't think appropriate in a user interface of the sort samba presents), which really -- did that make you feel 'ok' with adding the option? I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, but recognised the need some sites have to enable it without patching the code. So naming it allow insecure widelinks is the best solution IMHO. That way people who are experimenting won't turn it on by accident and blame us (and yes, things like that *do* happen), but people who need it can do so happily. smb.conf is not a user interface, it's a configuration file. It's ok to have ugly options we don't recommend people use (as Volker said, you can set guest user = root if you really want to :-). If not, I didn't win. I feel that I failed to communicate with you. What we have here is a failure to communicate... :-) :-). (name that movie ! :-). I'm just fed up of discussing it. As you are one of the sites who vociferously requested this option back in the code (even to the extent of opening a bug and writing a patch) then let's just leave things as they are. I won't respond again on this topic, I have far too many other things to do. Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
Jeremy Allison wrote: I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, People widely regarded the earth as flat and ... well sometime ago, as in some areas, as only 6000 years old... but recognised the need some sites have to enable it without patching the code. So naming it allow insecure widelinks is the best solution IMHO. That way people who are experimenting won't turn it on by accident and blame us (and yes, things like that *do* happen), but people who need it can do so happily. smb.conf is not a user interface, it's a configuration file. It's ok to have ugly options we don't recommend people use (as Volker said, you can set guest user = root if you really want to :-). If not, I didn't win. I feel that I failed to communicate with you. What we have here is a failure to communicate... :-) :-). (name that movie ! :-). -- *sigh*... I'm just fed up of discussing it. As you are one of the sites who vociferously requested this option back in the code (even to the extent of opening a bug and writing a patch) then let's just leave things as they are. I won't respond again on this topic, I have far too many other things to do. Oh...ok...well, ... um... thanks? I think? :-) (still wish I could help you deal with the idiots who think the world is flat...but I'm rarely if ever a good convincer of anything, even though what I say is often valid )...*sigh* I think my nick should have been Cassandra... Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
On Wed, 2011-09-14 at 18:16 -0700, Linda Walsh wrote: Jeremy Allison wrote: I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, People widely regarded the earth as flat and ... well sometime ago, as in some areas, as only 6000 years old... Did you know the greks (150 BC and earlier) knew perfectly well the earth was round and calculated things like the radius of the earth with decent accuracy for the means and things like the precession ? Sometimes people walk backward :) Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] can't turn on wide links in homedir
Hi, I discovered that it's not possible to run 'wide links' and 'unix entensions' at the same time - there are source-level blockers in place that will disable wide links and write a log entry. I traced this to https://bugzilla.samba.org/show_bug.cgi?id=7104 and http://www.samba.org/samba/news/symlink_attack.html ... However, I run a private home LAN server that already exposes / (root) as a share to all authenticated (and unauthenticated) clients. Therefore this issue is irrelevant to me. Furthermore, I want to organize some per-user directories (~/public_html for www, ~/storage for large files, and so on) in a separate location, and I can't do this without wide links. The restriction kills off my usage scenario. When the abovementioned 'security' fixes were done, why weren't the developers content with just changing the defaults, and maybe printing a warning on startup? Why did they add this restriction without a way to turn it off? Should I file a bugreport to have these blockers removed? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
On Mon, Sep 12, 2011 at 02:21:12PM +0200, umage wrote: Hi, I discovered that it's not possible to run 'wide links' and 'unix entensions' at the same time - there are source-level blockers in place that will disable wide links and write a log entry. I traced this to https://bugzilla.samba.org/show_bug.cgi?id=7104 and http://www.samba.org/samba/news/symlink_attack.html ... However, I run a private home LAN server that already exposes / (root) as a share to all authenticated (and unauthenticated) clients. Therefore this issue is irrelevant to me. Furthermore, I want to organize some per-user directories (~/public_html for www, ~/storage for large files, and so on) in a separate location, and I can't do this without wide links. The restriction kills off my usage scenario. Sorry about that. When the abovementioned 'security' fixes were done, why weren't the developers content with just changing the defaults, and maybe printing a warning on startup? Why did they add this restriction without a way to turn it off? Should I file a bugreport to have these blockers removed? We needed to make it impossible to configure Samba insecurely. At the time this was proposed, it was posted to the list and no dissenting voices were heard. Since then there have been a couple of people with the desire to configure Samba in a completely insecure mode like yourself, and there is a proposed patch to allow Samba to be run with this known security hole. As you may imagine, I'm not too keen on this but we may decide to add it in for people who desire insecure setups. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
On 12. 9. 2011 19:21, Jeremy Allison wrote: We needed to make it impossible to configure Samba insecurely. At the time this was proposed, it was posted to the list and no dissenting voices were heard. Since then there have been a couple of people with the desire to configure Samba in a completely insecure mode like yourself, and there is a proposed patch to allow Samba to be run with this known security hole. As you may imagine, I'm not too keen on this but we may decide to add it in for people who desire insecure setups. Jeremy. Well, I'm not too sure about the real security implications of this thing. I could restrict the flag to homedirs only - and since homedirs are private to the person accessing them, unless the user symlinks / into his public_html dir it shouldn't be that bad... but I can understand that someone wishing to lock down a system would want to minimize risks (although then why does he give out local ssh accounts). For my personal use I dug through the sources a bit and disabled the stuff in widelinks_warning() and lp_widelinks(), so there's no particular time pressure from my side :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba