I tried to use a symlink in a samba share this afternoon and got the following error:
I googled a little and found out the samba developers updated samba early last year to not follow symlinks by default. This was in response to an exploit posted on youtube that allowed /etc/passwd to be downloaded from a remote server if these two parameters are set globally:
follow symlinks = yes
wide links = yes
Apparently, if a symlink to /etc/passwd is created in a share with these two options set, linux clients will resolve it to the local machine but windows clients will resolve it to the remote host… bad. So an attacker can use a linux client to create a soft link to /etc/paswd (or some other sensitive system file) in a remote share and use a windows client to download a copy of the remote host’s passwd file… very bad.
The full details can be found here. The samba developers’ response was to simply turn these options off by default. This is very inconvenient because symlinks are very useful and simply turning them off is a sloppy way of dealing with a security hole this serious.
To re-enable the symlink functionality and still provide some defence against possible exploits, do not set these two options globally (i.e. in the [global] section of your /etc/samba/smb.conf file). Instead, only set them for individual shares AND ONLY IN CONJUNCTION WITH the parameter read only = yes Finally, disable symlinks for all your shares with write access like so:
follow symlinks = no
wide links = no
This way, an attacker cannot create soft links in shares that follow symlinks (because of the read-only parameter) and a soft link to /etc/passwd created in a share with write permissions will not resolve to the remote host’s /etc/passwd file (because the share will not follow symlinks):
So far we have only fixed a security hole. To get symlinks to actually work, set this parameter in the [global] section of your /etc/samba/smb.conf file:
unix extensions = no
Here’s an example of how relevant parts of your /etc/samba/smb.conf file should look:
#======================= Global Settings =======================
[global]
unix extensions = no
#======================= Share Definitions =======================
#Allowing symlinks
[LINK]
path = /media/data/link/
read only = yes
follow symlinks = yes
wide links = yes
#Disallowing symlinks
[NOLINK]
path = /media/data/nolink/
read only = yes
follow symlinks = no
wide links = no
#==================================================================
Don’t forget to restart samba like so: sudo service smbd restart
If I only had seen this BEFORE I fixed it myself after a 5 hour trial and error! Your assumptions are all correct 100% and it works for me as well,
I am replying to this so people will see this works and it is the correct fix.
You might want to tag this with a few tags.
By: jobst on November 30, 2011
at 2:55 am
best exxplanation ever for this issue. thanku very much!!!
By: syam on April 16, 2012
at 4:20 am
I thought you couldn’t create symlinks with unix extentions on ‘no’.
So that way you can set the share to write without risking access to the whole disk. And I thought that’s why they don’t allow symlinks with unix extentions enabled.
By: Sam on April 24, 2013
at 5:37 pm