Bug#866823: [Pkg-samba-maint] Bug#866823: samba: does not follow symbolic links
On Mon, 2020-11-23 at 10:12 +0100, Mathieu Parent wrote: > > The (insecure) workaround mentioned in this bug report, that of: > > > > # For symlink hack > > wide links = yes > > allow insecure wide links = yes > > > > > > makes it work again. > > Do you have path=/ ? > No. What I have is below. rrs@chutzpah:/var/log/samba$ grep path /etc/samba/smb.conf ; logon path = \\%N\profiles\%U # logon path = \\%N\%U\profile path = /media/rrs/EXDATA path = /media/rrs/4TBWD path = /media/rrs/4TBWD path = /home/rrs/Trans/ ; path = /home/samba/netlogon # users profiles (see the "logon path" option above) # The path below should be writable by all users so that their ; path = /home/samba/profiles path = /var/spool/samba path = /var/lib/samba/printers 15:40 ♒♒♒ ☺ > Also, from the 4.13 WHATSNEW.txt: > > > wide links functionality > > > > > > For this release, the code implementing the insecure "wide links = > > yes" > > functionality has been moved out of the core smbd code and into a > > separate > > VFS module, vfs_widelinks. Currently this vfs module is implicitly > > loaded > > by smbd as the last but one module before vfs_default if "wide > > links = yes" > > is enabled on the share (note, the existing restrictions on > > enabling wide > > links around the SMB1 "unix extensions" and the "allow insecure > > wide links" > > parameters are still in force). The implicit loading was done to > > allow > > existing users of "wide links = yes" to keep this functionality > > without > > having to make a change to existing working smb.conf files. > > > > Please note that the Samba developers recommend changing any Samba > > installations that currently use "wide links = yes" to use bind > > mounts > > as soon as possible, as "wide links = yes" is an inherently > > insecure > > configuration which we would like to remove from Samba. Moving the > > feature into a VFS module allows this to be done in a cleaner way > > in future. > > > > A future release to be determined will remove this implicit > > linkage, > > causing administrators who need this functionality to have to > > explicitly > > add the vfs_widelinks module into the "vfs objects =" parameter > > lists. > > The release notes will be updated to note this change when it > > occurs. > > Can't you use bind mounts? I only enabled " wide links = yes" today, when I noticed that the upgrade has cause my shares to be inaccessible, for the symlink folders. I would rather prefer to not use "wide links = yes" at all and instead just be able to use symlinks feature, with say, something like the below which had been working until the last upgrade. [EXDATA] comment = EXDATA browseable = yes follow symlinks = yes read only = no create mask = 0770 directory mask = 0770 path = /media/rrs/EXDATA -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: This is a digitally signed message part
Bug#866823: [Pkg-samba-maint] Bug#866823: samba: does not follow symbolic links
Hi, Le lun. 23 nov. 2020 à 09:48, Ritesh Raj Sarraf a écrit : > > Package: samba > Version: 2:4.13.2+dfsg-3 > Followup-For: Bug #866823 > > So "follow symlinks" feature seems to have been broken in the latest > upload of samba, version 2:4.13.2+dfsg-3. > > The current version in testing, 2:4.12.5+dfsg-3, did not have this > problem and I was happiliy using the "follow symlinks" feature so far. > > Given the dependency on python3, which now transitioned to 3.9, I can't > downgrade to the previous version. > > The (insecure) workaround mentioned in this bug report, that of: > > # For symlink hack >wide links = yes >allow insecure wide links = yes > > > makes it work again. Do you have path=/ ? Also, from the 4.13 WHATSNEW.txt: > wide links functionality > > > For this release, the code implementing the insecure "wide links = yes" > functionality has been moved out of the core smbd code and into a separate > VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded > by smbd as the last but one module before vfs_default if "wide links = yes" > is enabled on the share (note, the existing restrictions on enabling wide > links around the SMB1 "unix extensions" and the "allow insecure wide links" > parameters are still in force). The implicit loading was done to allow > existing users of "wide links = yes" to keep this functionality without > having to make a change to existing working smb.conf files. > > Please note that the Samba developers recommend changing any Samba > installations that currently use "wide links = yes" to use bind mounts > as soon as possible, as "wide links = yes" is an inherently insecure > configuration which we would like to remove from Samba. Moving the > feature into a VFS module allows this to be done in a cleaner way > in future. > > A future release to be determined will remove this implicit linkage, > causing administrators who need this functionality to have to explicitly > add the vfs_widelinks module into the "vfs objects =" parameter lists. > The release notes will be updated to note this change when it occurs. Can't you use bind mounts? Regards Mathieu Parent
