I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas? tnx jk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/22/2011 11:33 AM, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
tnx jk
Do you have Apparmour running? Run "update profile wizard" and then try following the links, and then go back to "update profile wizard" (u should keep it running) and allow the complaints. -- Michael S. Dunsavage -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michael S. Dunsavage wrote:
On 08/22/2011 11:33 AM, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
tnx jk
Do you have Apparmour running?
Run "update profile wizard" and then try following the links, and then go back to "update profile wizard" (u should keep it running) and allow the complaints.
No, I've turned off Apparmour, as it prevented the Samba server from running. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 22 of August 2011 11:33:51 James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
Try wide links = yes unix extensions = no in /etc/samba/smb.conf.
tnx jk Regards, Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
auxsvr wrote:
On Monday 22 of August 2011 11:33:51 James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas? Try
wide links = yes unix extensions = no
in /etc/samba/smb.conf.
Tried that and no difference. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/22/2011 01:10 PM, James Knott wrote:
auxsvr wrote:
On Monday 22 of August 2011 11:33:51 James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas? Try
wide links = yes unix extensions = no
in /etc/samba/smb.conf.
Tried that and no difference.
Is there anything in /var/log/samba/log.smbd when you try to connect? -- Michael S. Dunsavage -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michael S. Dunsavage wrote:
On 08/22/2011 01:10 PM, James Knott wrote:
auxsvr wrote:
On Monday 22 of August 2011 11:33:51 James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas? Try
wide links = yes unix extensions = no
in /etc/samba/smb.conf.
Tried that and no difference.
Is there anything in /var/log/samba/log.smbd when you try to connect?
No, there is nothing in that log when I get that error. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 22 of August 2011 14:24:03 James Knott wrote:
Michael S. Dunsavage wrote:
On 08/22/2011 01:10 PM, James Knott wrote:
Is there anything in /var/log/samba/log.smbd when you try to connect? No, there is nothing in that log when I get that error.
Did you check /var/log/audit/audit.log for apparmor permission errors? Regards, Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
auxsvr wrote:
On Monday 22 of August 2011 14:24:03 James Knott wrote:
Michael S. Dunsavage wrote:
On 08/22/2011 01:10 PM, James Knott wrote:
Is there anything in /var/log/samba/log.smbd when you try to connect?
No, there is nothing in that log when I get that error.
Did you check /var/log/audit/audit.log for apparmor permission errors?
Regards, Peter
I have apparmour turned off. Also, it's only with Samba that I have the problem. If I log in or use WinSCP, I have no problem following the symlink. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/22/2011 10:33 AM, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
tnx jk
James, Sounds like you might have a permission issue. I take it you did the following: common storage: /srv/some/dir then linked: ln -s /srv/some/dir /home/user/udir so the user accesses the file at /srv/some/dir through the link in in /home/user/udir by way of their default [homes] share. Samba does a good job with permission implementation. Two thoughts come to mind: (1) what does your smb.conf home share definition look like? [homes] comment = Home Directories browseable = no writable = yes should be fine... (2) what are the directory permissions on /srv/some/dir? All 'dir' permissions for /srv/some/dir must at least be world r+x (yes 'x', i.e. 0755) -- or -- must be group r+x (0750) if user is a member of the group owning /srv/some/dir. This means that '/srv', '/srv/some' and '/srv/some/dir' must all be at least r+x in the octet that provides user read permission (either world, group, or user). If the dir is just 'r', then samba will not allow browse or descent into the dir. Must be 'r+x'. 'x' controls descent into dirs (or at least it used to :) HTH -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
On 08/22/2011 10:33 AM, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
tnx jk
James,
Sounds like you might have a permission issue. I take it you did the following:
common storage:
/srv/some/dir
then linked:
ln -s /srv/some/dir /home/user/udir
so the user accesses the file at /srv/some/dir through the link in in /home/user/udir by way of their default [homes] share.
Samba does a good job with permission implementation. Two thoughts come to mind: (1) what does your smb.conf home share definition look like?
[homes] comment = Home Directories browseable = no writable = yes
Here's what it is: [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes
should be fine...
(2) what are the directory permissions on /srv/some/dir? All 'dir' permissions for /srv/some/dir must at least be world r+x (yes 'x', i.e. 0755) -- or -- must be group r+x (0750) if user is a member of the group owning /srv/some/dir. This means that '/srv', '/srv/some' and '/srv/some/dir' must all be at least r+x in the octet that provides user read permission (either world, group, or user). If the dir is just 'r', then samba will not allow browse or descent into the dir. Must be 'r+x'. 'x' controls descent into dirs (or at least it used to :)
HTH
jknott@acserver:~> ls -l /srv total 4506668 drwxrwxr-x 3 root users 4096 Aug 19 15:34 Common drwxrwx--- 2 root financial 4096 Aug 18 08:51 Financial drwxr-xr-x 4 root root 4096 Aug 12 13:24 ftp drwx------ 2 root root 16384 Aug 11 17:18 lost+found -rw-r--r-- 1 root users 4614782976 Aug 11 19:14 openSUSE-11.4-DVD-x86_64.iso drwxrwxr-x 2 root users 4096 Aug 18 08:51 Projects drwxr-x--- 4 root tftp 4096 Aug 12 13:24 tftpboot drwxr-xr-x 6 root root 4096 Aug 11 17:54 www And /srv is drwxr-xr-x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/22/2011 11:46 AM, David C. Rankin wrote:
(2) what are the directory permissions on /srv/some/dir? All 'dir' permissions for /srv/some/dir must at least be world r+x (yes 'x', i.e. 0755) -- or -- must be group r+x (0750) if user is a member of the group owning /srv/some/dir. This means that '/srv', '/srv/some' and '/srv/some/dir' must all be at least r+x in the octet that provides user read permission (either world, group, or user). If the dir is just 'r', then samba will not allow browse or descent into the dir. Must be 'r+x'. 'x' controls descent into dirs (or at least it used to :)
HTH
One more thought -- I don't know the impact of this..., but are the common storage dirs under your 11.4 /srv dir and the /home/$USER/dir file on the same partition?? I doubt it. Generally /srv is under / while /home is ..well.. under /home. For some reason, I have this nagging thought that you can't softlink dirs across partition boundaries... Off chance this may be part of the issue? I could be completely wrong here, but I thought I would pass it along... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
On 08/22/2011 11:46 AM, David C. Rankin wrote:
(2) what are the directory permissions on /srv/some/dir? All 'dir' permissions for /srv/some/dir must at least be world r+x (yes 'x', i.e. 0755) -- or -- must be group r+x (0750) if user is a member of the group owning /srv/some/dir. This means that '/srv', '/srv/some' and '/srv/some/dir' must all be at least r+x in the octet that provides user read permission (either world, group, or user). If the dir is just 'r', then samba will not allow browse or descent into the dir. Must be 'r+x'. 'x' controls descent into dirs (or at least it used to :)
HTH
One more thought -- I don't know the impact of this..., but are the common storage dirs under your 11.4 /srv dir and the /home/$USER/dir file on the same partition?? I doubt it. Generally /srv is under / while /home is ..well.. under /home. For some reason, I have this nagging thought that you can't softlink dirs across partition boundaries... Off chance this may be part of the issue? I could be completely wrong here, but I thought I would pass it along...
/home and /srv are separate partitions. However, it's hard links that won't work between separate partitions. I also have no problem following the simlink with other than Samba. There are a couple of Samba settings for following symlinks, but they don't seem to work. In fact, it's supposed to work by default and you use those setting to stop following the symlinks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Aug 22, 2011 at 11:33:51AM -0400, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
You know http://www.samba.org/samba/news/symlink_attack.html ? BUT (yes, by intention all uppercase) this is only valid for Samba post-3.6.0pre2. As you state to use oS 11.4 I expect you're using the version included with the release, which was 3.5.7. If it still doesn't work please follow http://en.openSUSE.org/Samba in particular the section labeled "Samba bug reporting and advanced debugging information". Please ensure to post the bug ID here for reference too. Question to Lars: What happens if no bug report gets filed and we continue to discuss the issue here? Well, then you continue here and very likely nobody will care any further. 2nd question to Lars: What can we do better beyond bug reporting if we like to contribute to the SUSE Samba stuff? File submit requests to network:samba:TESTING or network:samba:STABLE - which one you take is up to your good sense. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
` Lars M����������������������� wrote:
On Mon, Aug 22, 2011 at 11:33:51AM -0400, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
You know http://www.samba.org/samba/news/symlink_attack.html ?
BUT (yes, by intention all uppercase) this is only valid for Samba post-3.6.0pre2. As you state to use oS 11.4 I expect you're using the version included with the release, which was 3.5.7.
---- No...THEY backported the fix into the 3.5 (I know for sure, as I got hit by the fix twice),, and into earlier supported versions (AFAIK, but not certain). The first hit was when it happened, -- patched my code, as it wasn't a real bug in my setup. 2nd, time -- when I upgraded from 11.2->11.4, I got the new version 3.5.7, which had the broken functionality again. Rather than just patching my code, I submitted a fix for this against the samba base tree: https://bugzilla.samba.org/show_bug.cgi?id=8229 I also asked that it be included (it applies w/an offset, into the 3.5 series, but was too late to catch 3.5.11). Nothing else has happened on it. If this patch is of interest to you, you might ask when they expect to include it? OR , it's in an attachment to the bug... and you can apply the patch... (or If that doesn't work I can email private or post the patch here...it's fairly short and undoes the damage that that ill-considered 'fix' did to wide-link usability; even if it was 'scary' to some people). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Linda Walsh wrote:
` Lars M����������������������� wrote:
On Mon, Aug 22, 2011 at 11:33:51AM -0400, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
You know http://www.samba.org/samba/news/symlink_attack.html ?
BUT (yes, by intention all uppercase) this is only valid for Samba post-3.6.0pre2. As you state to use oS 11.4 I expect you're using the version included with the release, which was 3.5.7.
No...THEY backported the fix into the 3.5 (I know for sure, as I got hit by the fix twice),, and into earlier supported versions (AFAIK, but not certain).
The first hit was when it happened, -- patched my code, as it wasn't a real bug in my setup.
2nd, time -- when I upgraded from 11.2->11.4, I got the new version 3.5.7, which had the broken functionality again.
Rather than just patching my code, I submitted a fix for this against the samba base tree: https://bugzilla.samba.org/show_bug.cgi?id=8229 I also asked that it be included (it applies w/an offset, into the 3.5 series, but was too late to catch 3.5.11).
Nothing else has happened on it.
If this patch is of interest to you, you might ask when they expect to include it?
OR , it's in an attachment to the bug... and you can apply the patch... (or If that doesn't work I can email private or post the patch here...it's fairly short and undoes the damage that that ill-considered 'fix' did to wide-link usability; even if it was 'scary' to some people).
The installed version is samba-3.5.7-1.17.1.x86_64. While I can work around this, it would be nice to have it work properly. As I mentioned, it's a server at work. Some of the employees will be accessing it while on the road via WinSCP, with links from their home directories to some common areas. WinSCP has no problem with the links. However, when in the office, they'll be using regular LAN shares instead of WinSCP. This is where it breaks, when Samba won't follow the links. I have also shared the /srv parition, so they can get in that way, but then it's inconsistent with the way they work when outside. They're not all computer geniuses, so this point may trip up some of them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
The installed version is samba-3.5.7-1.17.1.x86_64. While I can work around this, it would be nice to have it work properly. As I mentioned, it's a server at work. Some of the employees will be accessing it while on the road via WinSCP, with links from their home directories to some common areas. WinSCP has no problem with the links. However, when in the office, they'll be using regular LAN shares instead of WinSCP. This is where it breaks, when Samba won't follow the links. I have also shared the /srv parition, so they can get in that way, but then it's inconsistent with the way they work when outside. They're not all computer geniuses, so this point may trip up some of them.
I agree with you , which is why I complained, when it came out, and and ran with a patch as a "short term measure (*giggle...*ROTFLMAO*)..." (sorry)... too stereotypical for words. As I got bitten again (and people thought I was using 'bleeding edge'?!) ... thus the patch submit... figured it was better to push it upstream to the source (I hoped). The impact of the "security bug" that was supposedly a problem -- is that Users could create links that pointed outside of their "shares" -- just like "local users can create symlinks" out of their directory. They still could not access any files that they didn't have permission to access, BUT, since some people considered that what was 'shared' was only to be governed by share definitions, they invalidate wide links when unix extensions are on (which is the default). Another change: wide-links used to be a Global parameter. Now it is a /share parameter, but unix_extensions is a global and defaults to 'on'. If you try to use wide links and don't explicitly have unix_extensions==false in the global section the wide-links call will silently fail unless you have your log messages turned up high enough and look in the log. *sigh* -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Aug 23, 2011 at 06:31:15PM -0700, Linda Walsh wrote:
` Lars M����������������������� wrote:
On Mon, Aug 22, 2011 at 11:33:51AM -0400, James Knott wrote:
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas?
You know http://www.samba.org/samba/news/symlink_attack.html ?
BUT (yes, by intention all uppercase) this is only valid for Samba post-3.6.0pre2. As you state to use oS 11.4 I expect you're using the version included with the release, which was 3.5.7.
No...THEY backported the fix into the 3.5 (I know for sure, as I got hit by the fix twice),, and into earlier supported versions (AFAIK, but not certain).
Try to be exact! 3.5.7 did not got this fix. A later 3.5.x version might have gotten it.
The first hit was when it happened, -- patched my code, as it wasn't a real bug in my setup.
2nd, time -- when I upgraded from 11.2->11.4, I got the new version 3.5.7, which had the broken functionality again.
This is not broken. Read our samba.org announcement. The one I quoted. Read it, read it twice.
Rather than just patching my code, I submitted a fix for this against the samba base tree: https://bugzilla.samba.org/show_bug.cgi?id=8229 I also asked that it be included (it applies w/an offset, into the 3.5 series, but was too late to catch 3.5.11).
tara. 3.5.11 and openSUSE 11.4 had? Any further question? No? Then walk on there is ice cream in the fridge and drinks are on the balkony. ;) Me loves people who mess up the kitchen and don't clean up afterwards ... Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
This is not broken. Read our samba.org announcement. The one I quoted. Read it, read it twice.
I can understand blocking links to another computer, but what's the difference between linking to a directory on another partition on the same computer vs to the same directory in the same partition? If I had created one huge / partition and not separate /home and /srv, we wouldn't be having this discussion. And why is this only a concern with Samba and not other methods? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Aug 24, 2011, at 12:16 , James Knott wrote:
This is not broken. Read our samba.org announcement. The one I quoted. Read it, read it twice.
I can understand blocking links to another computer, but what's the difference between linking to a directory on another partition on the same computer vs to the same directory in the same partition? If I had created one huge / partition and not separate /home and /srv, we wouldn't be having this discussion. And why is this only a concern with Samba and not other methods?
From the announcement: because you can create symlinks pointing anywhere, and Windows clients will resolve these on the server, thereby escaping the limits set by the share. What "other methods" do you refer to? With NFS, for example, symlinks will be resolved on the client, so this cannot be used to escape the export tree.
A. -- Ansgar Esztermann DV-Systemadministration Max-Planck-Institut für biophysikalische Chemie, Abteilung 105 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Esztermann, Ansgar wrote:
From the announcement: because you can create symlinks pointing anywhere, and Windows clients will resolve these on the server, thereby escaping the limits set by the share. What "other methods" do you refer to? With NFS, for example, symlinks will be resolved on the client, so this cannot be used to escape the export tree.
I am also providing the employees with WinSCP clients, so they can access files on the server when away from the office. It follows the symlinks without problem. WinSCP connects them to their home directories. I have created symlinks in /etc/skel, so that when I set up a user, they automatically have symlinks to the common directories on /srv. With Samba, I have to share both home directories and /srv and they then have to use the separate /srv share to access the common directories, instead of following the link from their home directory. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Lars M����������������������� wrote:
Try to be exact!
3.5.7 did not got this fix. A later 3.5.x version might have gotten it.
--- That fix went in in 3.5.4. It's been in since maybe April/May of 2010. (over a year ago).
This is not broken. Read 'our' [sic] Who is "our"??? -- you pointed at a Feb 10,2010 announcement that said all future versions would be fixed. Um...this is Aug 2010...18 months later...
samba.org announcement. The one I quoted. Read it, read it twice
--- Yeah, an you need to read the date it came out. Feb5, 2010. That's over 18 months ago.... Don't think it is in 3.5.7, before blowing me off and making your self out to be a fool, did you bother checking sources? Neh...it's just linda...I can blow her off anyday, what does she know? Ishtar:law> ll /suse lrwxrwxrwx 1 8 Jun 19 11:20 /suse -> suse11.4/ Ishtar:law> cd /suse/src/ Ishtar:/suse/src> rpm -ihv samba-3.5.7-1.17.1.src.rpm 1:samba ########################################### [100%] Ishtar:/suse/src> cd /home/packages/ Ishtar:packages> rpmbuild -bp specs/samba.spec ...
/var/tmp/rpm-tmp.G8JGwe#55> /usr/bin/pbzip2 -dc /usr/src/packages/SOURCES/samba-3.5.7/patches.tar.bz2 drwxr-xr-x lmuelle/users 0 2011-02-28 08:14 patches/ -rw-r--r-- lmuelle/users 2109 2011-02-28 08:14 patches/series drwxr-xr-x lmuelle/users 0 2011-02-28 08:14 patches/samba.org/
[[[Gee wonder who lmuelle is?]]] Ishtar:packages> cd build/samba-3.5.7/source3/param Ishtar:packages/../source3/param> tail -30 loadparm.c void widelinks_warning(int snum) { if (lp_unix_extensions() && lp_widelinks_internal(snum)) { DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " "These parameters are incompatible. " "Wide links will be disabled for this share.\n", lp_servicename(snum) )); } } bool lp_widelinks(int snum) { /* wide links is always incompatible with unix extensions */ if (lp_unix_extensions()) { return false; } return lp_widelinks_internal(snum); } ---------------------------------------------- Sure looks like Samba 3.5.7 has them disabled to me....maybe you ought to check out the code before putting foot in mouth? I ran into this bug "fix" [sic]. So I set about creating patch to push into samba so next time Suse fed me a distro, it wouldn't have a broken samba...at least not in this way... Was my own damn fault for not doing it a year ago, but ... I'd hoped someone else would do it and for some reason... since I have a hard enough time tracking all this stuff and keeping my own systems running, fighing what are often uphill political battles with people who tell me I don't know what I'm talking about -- until I shove the source under their nose -- they they usually blackball me in some other way...saying "I'm dangerous"...whatever.. Yeah, I uncover, report really argue against incompatible feature changes... and sometimes submit patches, but when , some cases, the project owner has decided that incompatibility is a good thing, I rarely have a chance. I d/l' ed source from samba site, 1st against 3.5.9, then patched against 3.6.0, now am trying to get back running in 3.5.10, as 3.6.0 hosed my user db. THAT BUG 'fix' [sic] was at the root of my unending samba problems since I upgraded to 11.4! YES IS IS BROKEN in 3.5.7 you destroyer of kitchens! (who then blames such messes on others! ... lame!) It's been fixed in ALL the code since 3.5.4.
Rather than just patching my code, I submitted a fix for this against the samba base tree: https://bugzilla.samba.org/show_bug.cgi?id=8229 I also asked that it be included (it applies w/an offset, into the 3.5 series, but was too late to catch 3.5.11).
3.5.11 and openSUSE 11.4 had?
3.5.7...and when was the bug fixed? 3.5.4, and what version was out on samba site by time I ran into 3.5.7 having widelinks broken? 3.5.9, what were they releasing -- 3.6.0. What did I try to do when 3.6 was broken -- go back to 3.5 -- which was already at 3.5.10 -- what did I try to do too late before 3.5.11 went out? Get the patch into the 3.5 series, as I figured it might be useful for those those not wanting to move to the new and unstable 3.6 series. I'd like to see it back into the 3.4 series as well, but I'm less likely to persue that as I don't use it and wouldn't be able to give it a fair testing.
Any further question? No? Then walk on there is ice cream in the fridge and drinks are on the balkony. ;)
Me loves people who mess up the kitchen and don't clean up afterwards ...
---- Me l0ves samba experts who claim they know things -- and don't even bother to check sources before spouting off about how other people are wrong. I used to do that ... about... 15-20 years ago...realized it made me look sorta stupid, ya know? THIS is WHY I said alot of things broke in 11.4.... you guys have no clue what you are packaging...it's changing so rapidly...and it isn't backward compat -- the new BASH4.1 isn't backwards compat with Bash3.0-4.0, in how it handles errors with "-e" and calculations. It decided to follow the new POSIX standard which applies -e to all statements, not just "simple statements" as the old standard did -- which means if you use calc statements in bash like "let a=0" or ((a=0)) and have "set -e turned on -- your script will be forceably terminated. I used to use exit -1/return-1 for a non-determinant or internal error code, leaving 1-xxx for the normal errno values, (-1, -2, start counting down from 255 -- 254, 253...etc)... But in bash 4.1 -- it checks for the validity of parameters on the "return statement" (which takes no parameters, BTW, no more than exit does). So 'return', as of 4.1 won't take "-1", though exit still will. A whole bunch of little changes that resulting several scripts going sideways once Suse 11.4 was installed. There were lots of cases like this. I used to use ((xxxx)) in various places for computation -- NO place did I check if it's end value was '0'...those all die now if I run with "-ue" -- which I often do as a 'sanity check'... The new posix which bash didn't conform to in 11.3, (not as fully, anyway), isn't compatible with the POSIX of the previous 10-15 years -- thus any portable scripts written over that time may be broken under the new standard. Anyway -- that's just another example of a prog that broke in 11.4. And like samba, I bet no one at suse even knew about it. (yeah, I'm being a bitch, but I think I'm allowed to be tired of being told I don't know what I'm talking about when it is clear, I often do -- and those accusing me are living in code from 2 years ago)... (ok...it's also way late...and way past my daily expiration date....)... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Aug 25, 2011 at 03:56:29AM -0700, Linda Walsh wrote:
Lars Müller wrote:
Try to be exact!
3.5.7 did not got this fix. A later 3.5.x version might have gotten it. --- That fix went in in 3.5.4.
If "that fix" is https://bugzilla.samba.org/attachment.cgi?id=6575 it did not went into 3.5.4. But yes, some others, many fixes did. So I'm sure the fix you had in mind might got merged. But not this one. Also widelinks_warning() of 3.6.0 and 3.5.7 as in openSUSE 11.4 do not differ in this regard. Checked in git and from the original tar balls. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
On Thu, Aug 25, 2011 at 03:56:29AM -0700, Linda Walsh wrote:
Lars Müller wrote:
Try to be exact! 3.5.7 did not got this fix. A later 3.5.x version might have gotten it --- That fix went in in 3.5.4.
The supposed security fix that went into samba 3.5.4 disables widelinks by default whenever samba comes up.
Lars Müller wrote: On Mon, Aug 22, 2011 at 11:33:51AM -0400, James Knott wrote
I've recently set up a server running openSUSE 11.4. I have set up some common file areas in the /srv partition, which I link to from user directories. If I use WinSCP to access the user accounts, I can follow the symlinks to /srv. However, if I use Samba, I get an error that files on /srv are not accessible and it might be due to permissions. I have tried the "follow symlinks" and "wide links" options in smb.conf, but still no luck. Any ideas You know http://www.samba.org/samba/news/symlink_attack.html ?
BUT (yes, by intention all uppercase) this is only valid for Samba post-3.6.0pre2. As you state to use oS 11.4 I expect you're using the version included with the release, which was 3.5.7. That link says all versions from **Feb 2010** forward, will have wide
To enabled it, you have to turn off "unix_extensions", which means many other things won't work. Furthermore, the allow widelinks parameter was moved from a global parameter to a per-share parameter -- though unix_extensions must remain off for the entire server . So shared directories between my multiple user-accounts began to fail. 1) /home/Domain/Documents/user = users doc dir 2) /home/Domain/User/Documents (1) XP client docs point to docs /home/Domain/User.V2/Documents (2) Win7 client docs point to docs /home/User/Documents (3) unix user's documents point to docs --- then Pictures -> Documents/Pictures Desktop -> Documents/Desktop {Contacts, Downloads Favorites, Links, Music} ->Documents/<xxxxx> ---- User id's in all 3 env's shared files... all that broke when the patch to disable wide links + unix extensions went in. My match was submitted only in the past few months and has yet to go into any version other than on my own machine. It re-allows compatibility if you also give: 'client managed wide links = true' which makes it clear that clients can manage wide links when unix-extensions are turned on -- just as they could if they were logged in locally to the unix server...which is no big deal if you allow that access, but for shops that don't allow users to login to their servers, was a big deal. Whatever... Wide links don't work, NOW, by default, unless you disable unix-extensions -- but then you can't create links from the windows server nor recognize their existence along with several other penalties... The URL you point to: links disabled. Version 3.5.2 was immediately released to fix this. Then came 3.5.3 -- which also contained the fix for the above symlink 'attack' and by June 2010, 3.5.4, also firmly had it in place. It is still in 3.5.5 -> 5.11, and 3.6.0 My patch wasn't submitted until last May -- it has yet to go into any version, because 3.6.0 was in final release stages and they did not want to put in any last minute changes. 3.5.11 came out 2 months later, but I had not specifically asked it be incuded in 3.5.x soon enough for it to make the cut off for 3.5.11. It MAY be in 3.5.12 and MAY be in 3.6.1 -- I don't know... but until I know my patch is in, I can't say. As it stands... all samba products released after Feb 2010 (from 3.5.2 on), have the widelinks disabled due to the threat of the 'symlink attack'...
If "that fix" is https://bugzilla.samba.org/attachment.cgi?id=6575 it did not went into 3.5.4. But yes, some others, many fixes did. So I'm sure the fix you had in mind might got merged. But not this one. Also widelinks_warning() of 3.6.0 and 3.5.7 as in openSUSE 11.4 do not differ in this regard. Checked in git and from the original tar balls.
---- Why would they? The "symlink-fear-fix" bug went into 3.5.2, and has been in in both 3.5.7 and 3.6. There was no change planned for 3.6. My patch has neither been accepted nor announced. So it doesn't figure into any of the announcements up to this point. Are you getting the picture yet? The page you point at with the security announcement, dated Feb 2010, has a 'current news box' in the right column, mentioning 3.6, on the right side. Is that confusing you? As the 'current product news' has nothing to do with the archived security report from Feb 2010, that you are viewing on that page. -l -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
For what it's worth, I noted in the comment with the patches initial submission, that it was originally tested with suse 3.5.7 that comes with opensuse!... (hey, fixing the version I was using was the first place to try the patch...)... So applying it to a suse 3.5.7-xxxx for a compat fix, wouldn't be difficult. Note, though I said I wasn't adamant about backporting, I am pushing more to at least backport it into the 3.5 series. -linda I'm not adamant about backporting the fix, but it might be a good idea to backport this to the time that the regression was introduced (i.e. client's managing widelinks (symlinks on the server) could be a security risk, and was thus disabled). At the very least I'd like to see it early in the 3.6 series if though with 360 in rc2, I understand the "process discomfort" associated with putting it in there -- if I was a project manager, I'd say no as well, but as a user, I can still want it! ;-) The impact on the code is trivial. To minimize the security risk, I'd only announce the feature or new param, in the context of a 'bugfix' to allow previous functionality. That way in considering Andrews comments about some users wanting to try out anything 'new' w/o reading the documentation, such problems might be ameliorated. Tested under 3.5.7 (opensuse) as well as 3.6.0-rc2(tarball). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
auxsvr -
David C. Rankin -
Esztermann, Ansgar -
James Knott -
Lars Müller -
Linda Walsh -
Michael S. Dunsavage