My server has root:root owned directories with symlinks to user:user owned files (both base locations are shared via samba) With 3.4.6 I could open the files via the symlink without issue. After a straightforward upgrade to 3.5.2 this is no longer the case. I can still open the files directly, however double clicking the symlink reports that I don't have permission (and I cannot see the permissions). Nothing is reported via samba's logs since windows directly denies the attempt to open the file due to permissions. I used cygwin to view file permissions, the link is rw-r----- and the real directory via the alternate path is rw-r--r-- Root cause(?): Symlinks just don't work if they link outside the share path. They work within the share path. 'wide links' and 'follow symlinks' does nothing to change this. Reproducible: Always Steps to Reproduce: Portage 2.1.8.3 (default/linux/amd64/10.0, gcc-4.4.3, glibc-2.11-r1, 2.6.31-xen-r11 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-2.6.31-xen-r11-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-gentoo-2.0.1 Timestamp of tree: Thu, 08 Apr 2010 12:15:01 +0000 app-shells/bash: 4.1_p5 dev-lang/python: 2.6.5-r1, 3.1.2-r1 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.65 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1 sys-devel/gcc: 4.4.3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.33 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=nocona -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests buildpkg distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://lug.mtu.edu/gentoo/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acpi amd64 bash-completion bzip2 cli cracklib dbus fam hal hvm iconv ithreads libnotify logrotate mmx multilib ncurses nls nptl nptlonly ntp pam pcf pcre perl pmu python readline session sse sse2 ssl ssse3 startup-notification svg tcpd unicode xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY ================================================================= Package Settings ================================================================= net-fs/samba-3.5.2 was built with the following: USE="client doc fam (multilib) netapi pam readline server swat syslog -acl -addns -ads -aio -avahi -caps -cluster -cups -debug -examples -ldap -ldb -quota -smbclient -smbsharemodes -winbind" smb.conf: [global] workgroup = HOME server string = Server username map = /etc/samba/smbusers log file = /var/log/samba/log.%m max log size = 50 load printers = No host msdfs = No hosts allow = 192.168.1.0/24, 127.0.0.1, 0.0.0.0/0 hide files = /folder.jpg/Thumbs.db/ #wide links = yes #follow symlinks = yes [Movies] path = /files/Movies valid users = usera, userb, userc read list = usera, userb, userc hide files = /folder.jpg/VTS*ifo/*.BUP/*.VOB/Thumbs.db/ read only = Yes
Does it work with the samba config option wide links = yes ??? See bug 303767 in this case for more info
(In reply to comment #1) See the Root cause line, I try that and 'follow symlinks' separately and together.
Ok, apologies but was wrong on the version I upgraded from. I had 3.4.5 (client and server separate, both installed) and in the process of going back to 3.4.5 I hit 3.4.6 (unified) and that is "broke" too.
emerge --info from the working 3.4.5 build of server and client. Portage 2.1.8.3 (default/linux/amd64/10.0, gcc-4.4.3, glibc-2.11-r1, 2.6.31-xen-r11 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-2.6.31-xen-r11-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-gentoo-2.0.1 Timestamp of tree: Thu, 08 Apr 2010 12:15:01 +0000 app-shells/bash: 4.1_p5 dev-lang/python: 2.6.5-r1, 3.1.2-r1 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.65 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1 sys-devel/gcc: 4.4.3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.33 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=nocona -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests buildpkg distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://lug.mtu.edu/gentoo/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acpi amd64 bash-completion bzip2 cli cracklib dbus fam hal hvm iconv ithreads libnotify logrotate mmx multilib ncurses nls nptl nptlonly ntp pam pcf pcre perl pmu python readline session sse sse2 ssl ssse3 startup-notification svg tcpd unicode xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY ================================================================= Package Settings ================================================================= net-fs/samba-server-3.4.5 was built with the following: USE="fam (multilib) pam swat syslog -acl -ads -aio -avahi -caps -cluster -cups -debug -doc -examples -ldap -quota -samba4 -winbind -zeroconf" net-fs/samba-client-3.4.5 was built with the following: USE="(multilib) syslog -ads -aio -avahi -caps -cluster -cups -debug -ldap -minimal -samba4 -winbind -zeroconf"
Here is a note I found referring to the security update: This update was a security update, with the following behavior change: * SECURITY UPDATE: arbitrary file disclosure via wide links - debian/patches/security-CVE-2010-0926.patch: disable wide links when UNIX extensions are enabled in source3/include/proto.h, source3/param/loadparm.c, source3/smbd/service.c, source3/smbd/trans2.c, source3/smbd/vfs.c, docs/htmldocs/manpages/smb.conf.5.html and docs/manpages/smb.conf.5. - CVE-2010-0926 * WARNING: This changes the default samba behaviour. For security reasons, it is no longer possible to use wide links and UNIX extensions at the same time. After applying this security update, wide links will be disabled automatically as UNIX extensions are turned on by default. If wide links are required, you may re-enable them by adding "unix extensions = no" to the [global] section of the /etc/samba/smb.conf configuration file.
Indeed that fixed it, thanks very much. Perhaps a patch to the documentation? At least as represented via swat it's not as obvious what's happening as would have helped me fix it without the bug (and no amount of google searching got me the answer either). So, in smb.conf / Wide Links we have: Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on. I would suggest a change to: Due to this problem, this parameter is automatically disabled by default (with a message in the log file) due to the unix extensions option being on. You must explicitly disable unix extensions if you want this setting to take effect. My thinking when I read it (and no I stupidly did not follow into the "unix extensions" documentation originally) was that extensions by default would be off.
The following was added to the samba-3.5.3 ebuild: pkg_postinst() { elog "The default value of 'wide links' has been changed to 'no' in samba 3.5" elog "to avoid an insecure default configuration" elog "('wide links = yes' and 'unix extensions = yes'). For more details," elog "please see http://www.samba.org/samba/news/symlink_attack.html ." elog "" elog "An EXPERIMENTAL implementation of the SMB2 protocol has been added." elog "SMB2 can be enabled by setting 'max protocol = smb2'. SMB2 is a new " elog "implementation of the SMB protocol used by Windows Vista and higher" elog "" elog "For further information make sure to read the release notes at" elog "http://samba.org/samba/history/${P}.html and " elog "http://samba.org/samba/history/${PN}-3.5.0.html" } Sorry for the inconveniences