<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
<title></title>
</head>
<body>
Samba <span class="misspelled">unix</span> extensions with <span class="misspelled">symlinks</span> ...<span></span>
<p>i would also like to be able to follow <span class="misspelled">symlinks</span> when using a samba share with <span class="misspelled">unix</span> extensions ...<br />
<span class="misspelled">http</span>://bugs.<span class="misspelled">debian</span>.org/<span class="misspelled">cgi</span>-bin/<span class="misspelled">bugreport</span>.<span class="misspelled">cgi</span>?bug=551203<span></span></p>
having this working ( at least without the <span class="misspelled">unix</span> extensions ) is even why i<br />
( and several others ... simply search in some <span class="misspelled">VDR</span> forums and others about "follow <span class="misspelled">symlinks</span>"/"wide links" )<span><br />
made the choice to use samba but not <span class="misspelled">nfs</span> ....</span> <br />
<p id="__paragraph__1266771499000">now someone found a problem allowing unauthorized <span class="misspelled">acces</span> by creating a <span class="misspelled">symlink</span> with <span class="misspelled">unix</span> extensions<span><br />
and later using it without them to get it followed:</span><span><span class="misspelled"><br />
http</span>://<span class="misspelled">www</span>.samba.org/samba/news/symlink_attack.<span class="misspelled">html</span></span><span><br />
( possibly the real reason why they are still disabled with <span class="misspelled">unix</span> extensions )<br />
</span></p>
<p id="__paragraph__1266771499000"><span>there is even a way to stop this attack while allowing <span class="misspelled">symlinks</span> to be followed even with <span class="misspelled">unix</span> extensions ...</span><span><br />
</span></p>
<p id="__paragraph__1266771499000"><span>now speaking much to simple ...</span></p>
<p id="__paragraph__1266771499000"><span>if the check to where a <span class="misspelled">symlink</span> points wold be called when ( before ! ) creating the link<br />
and disallowing the creation when the link points outside the scope already visible to the client</span> <span><br />
the attack wold be impossible ...</span><span><br />
</span></p>
<p id="__paragraph__1266771499000"><span>with this done you cold allow following <span class="misspelled">symlinks</span> <span class="misspelled">whith</span> <span class="misspelled">unix</span> extensions = yes without any risk ...</span><span><br />
( possibly by adding a value '<span class="misspelled">unix</span>' to the follow <span class="misspelled">symlinks</span> / wide links parameter ??? )</span><span><br />
</span></p>
<p id="__paragraph__1266771499000"><span>however only links outside the scope of the share should be followed because otherwise applications</span><span><br />
creating links inside the scope wold be unable to recognize and remove the link later ....</span><span></span></p>
<br />
Ralph<span></span>
<p id="__paragraph__1266771816000"><span><br />
</span></p>
<br />
<span></span>
</body>
</html>