[EMAIL PROTECTED] wrote:
This is not always a problem. There might be cases where users must beOn Tue, Dec 31, 2002 at 10:36:33AM +0100, Simo Sorce wrote:Jeremy, in case of unix extensions, shouldn't we pass the symlink as is and not resolve it?Yes we do - if the client uses the UNIX extensions to readlink. The problem is a UNIX extension client could set a symlink on the server (which in a UNIX <--> UNIX scenario would never be resolved on the server, but read and resolved on the clients filesystem) and then do a normal SMB open call on it to escape the restrictions of exporting only a small part of the servers filesystem.
restricted to a specific shared directory, but in the case of UNIX
extensions, the users probably* have shell access to the server anyway.
Using samba they still have the same user restrictions as shell access
so there is no greater security risk if they access a file remotly than
if they do localy.
By making this an option, the default level of security is suitable for
a restricted server but can be relaxed if need be. The name of this
option could be changed and perhaps other semantics associated with it
(what exactly is a wide link?) but I don't think it creates any
security problems.
John.
*probably is a bit of a generalisation. In the case of sharing home directories it is possible. What other writable directories are going to be shared? Are symlinks required in those directories?
I think a proper unix-like file system should be able to return links.It can. I just can't trust the client to do this. Jeremy.
-- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn
