Lars Müller wrote:
On Thu, Aug 25, 2011 at 03:56:29AM -0700, Linda Walsh wrote:
Lars Müller wrote:
Try to be exact! 3.5.7 did not got this fix. A later 3.5.x version might have gotten it --- That fix went in in 3.5.4.
The supposed security fix that went into samba 3.5.4 disables widelinks by default whenever samba comes up.
Lars Müller wrote: On Mon, Aug 22, 2011 at 11:33:51AM -0400, James Knott wrote
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas You know http://www.samba.org/samba/news/symlink_attack.html ?
BUT (yes, by intention all uppercase) this is only valid for Samba post-3.6.0pre2. As you state to use oS 11.4 I expect you're using the version included with the release, which was 3.5.7. That link says all versions from **Feb 2010** forward, will have wide
To enabled it, you have to turn off "unix_extensions", which means many other things won't work. Furthermore, the allow widelinks parameter was moved from a global parameter to a per-share parameter -- though unix_extensions must remain off for the entire server . So shared directories between my multiple user-accounts began to fail. 1) /home/Domain/Documents/user = users doc dir 2) /home/Domain/User/Documents (1) XP client docs point to docs /home/Domain/User.V2/Documents (2) Win7 client docs point to docs /home/User/Documents (3) unix user's documents point to docs --- then Pictures -> Documents/Pictures Desktop -> Documents/Desktop {Contacts, Downloads Favorites, Links, Music} ->Documents/<xxxxx> ---- User id's in all 3 env's shared files... all that broke when the patch to disable wide links + unix extensions went in. My match was submitted only in the past few months and has yet to go into any version other than on my own machine. It re-allows compatibility if you also give: 'client managed wide links = true' which makes it clear that clients can manage wide links when unix-extensions are turned on -- just as they could if they were logged in locally to the unix server...which is no big deal if you allow that access, but for shops that don't allow users to login to their servers, was a big deal. Whatever... Wide links don't work, NOW, by default, unless you disable unix-extensions -- but then you can't create links from the windows server nor recognize their existence along with several other penalties... The URL you point to: links disabled. Version 3.5.2 was immediately released to fix this. Then came 3.5.3 -- which also contained the fix for the above symlink 'attack' and by June 2010, 3.5.4, also firmly had it in place. It is still in 3.5.5 -> 5.11, and 3.6.0 My patch wasn't submitted until last May -- it has yet to go into any version, because 3.6.0 was in final release stages and they did not want to put in any last minute changes. 3.5.11 came out 2 months later, but I had not specifically asked it be incuded in 3.5.x soon enough for it to make the cut off for 3.5.11. It MAY be in 3.5.12 and MAY be in 3.6.1 -- I don't know... but until I know my patch is in, I can't say. As it stands... all samba products released after Feb 2010 (from 3.5.2 on), have the widelinks disabled due to the threat of the 'symlink attack'...
If "that fix" is https://bugzilla.samba.org/attachment.cgi?id=6575 it did not went into 3.5.4. But yes, some others, many fixes did. So I'm sure the fix you had in mind might got merged. But not this one. Also widelinks_warning() of 3.6.0 and 3.5.7 as in openSUSE 11.4 do not differ in this regard. Checked in git and from the original tar balls.
---- Why would they? The "symlink-fear-fix" bug went into 3.5.2, and has been in in both 3.5.7 and 3.6. There was no change planned for 3.6. My patch has neither been accepted nor announced. So it doesn't figure into any of the announcements up to this point. Are you getting the picture yet? The page you point at with the security announcement, dated Feb 2010, has a 'current news box' in the right column, mentioning 3.6, on the right side. Is that confusing you? As the 'current product news' has nothing to do with the archived security report from Feb 2010, that you are viewing on that page. -l -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org