[Pkg-samba-maint] Bug#612764: I see the point they are looking for, the solution seems too limiting

Steve Langasek vorlon at debian.org
Sun Feb 13 03:44:16 UTC 2011 

On Fri, Feb 11, 2011 at 03:51:44PM +0100, Santiago Garcia Mantinan wrote:
> Thanks for your replies, I've been reading the threads on this and I see the
> point they had, but the solution... I don't agree with that.

> On my case I have a powerpc tree exported via cifs to a powerpc thin
> client, the tree is a normal Debian powerpc full tree, and as such it has
> a lot of links to /etc, /usr and so on.  With this constraints I cannot
> continue to do this and doesn't resolve the problem, farther more, they
> hide it, a note on the config file would have been more efective.

I don't think the config file is the right place to document this.  It is
documented in the smb.conf manpage that these options are incompatible.

But I don't understand how disabling wide links breaks anything for you in
this case.  I guess your exported share is a chrooted powerpc tree, and
you're not exporting the actual root filesystem of the server, right?  So
then, a symlink pointing at /etc is pointing at the server's /etc, not the
client's /etc, and would give the wrong *contents*, wouldn't it?

In that case these wide links were already broken.  The behavior change has
just made the breakage more apparent.

> For what I see my options here are:

> 1-convert all absolute paths to relative
> 2-use something like squashfs and export the file containing the filesystem
> via cifs.

Why don't you use NFS, which is natively designed for use as a Unix
filesystem?

BTW, is the powerpc thin client running with Unix extensions enabled or not?
If it is, shouldn't these symlinks be passed through for resolution on the
*client* side, making the problem moot?

> I don't see any other options here and the constraints they have put still
> would allow wide links when unix extensions are off, thus if unwanted links
> are set on the real filesystems they will still be followed by samba.

The point is that if Unix extensions are enabled on the server, you can
trigger an attack by making two connections with a client to get access to
arbritrary files on the filesystem.  First you connect with unix extensions
enabled on the client and create a symlink to your target file; then you
connect with unix extensions /disabled/ to trick the server into reading you
the contents of that file.

If you don't have both of these options enabled at the same time, the only
wide links you can read are those already existing on the server.

HTH,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-samba-maint mailing list