[tech] Allowing wide symlinks in Samba shares
James Arcus
jimbo at ucc.asn.au
Mon Aug 19 23:28:08 AWST 2019
Hi all,
I was just tinkering around tonight trying to allow for sharing the same
Firefox & Thunderbird profile between Windows and Linux on the clubroom
machines. My plan of attack was to create a symlink from the relevant
locations in AppData on the Windows profiles that link back to the
.mozilla/.thunderbird folders in my /away.
Samba on molmol would not follow my symlinks because they lead outside
the share (so-called "wide links") and wide links are disabled when
Samba Unix extensions are enabled. The intention of this is to prevent a
vulnerability where a Unix client creates a symlink which is then
evaluated by the Samba server. See
https://www.samba.org/samba/news/symlink_attack.html for more.
Disabling Unix extensions would allow my plan to work (as I verified),
but does not necessarily fix the vulnerability. Given that UCC users can
edit the contents of their Windows profiles freely from our user
servers, I believe the same problem would exist there.
For that reason, I've left wide links explicitly disabled with a
comment. I'm not sure if my above assumption holds, so I'd appreciate
any knowledge people have. Either that, or more investigation is needed.
For example, if the "exploit" only allows reading files outside of the
share that users would be able to access by logging directly in to
molmol, that presents little issue. But if it allows any sort of writing
or bypassing ACLs, then that's obviously more serious.
Additionally, if there's another way to go about what I'm trying to
achieve, then hearing that would be great too.
Cheers,
James [MPT]
More information about the tech
mailing list