Posted by: Odzangba | January 2, 2011

Fix Samba Not Following Symlinks Error

I tried to use a symlink in a samba share this afternoon and got the following error:

Samba Symlink Error
I googled a little and found out the samba developers updated samba early last year to not follow symlinks by default. This was in response to an exploit posted on youtube that allowed /etc/passwd to be downloaded from a remote server if these two parameters are set globally:

follow symlinks = yes
wide links = yes

Apparently, if a symlink to /etc/passwd is created in a share with these two options set, linux clients will resolve it to the local machine but windows clients will resolve it to the remote host… bad. So an attacker can use a linux client to create a soft link to /etc/paswd (or some other sensitive system file) in a remote share and use a windows client to download a copy of the remote host’s passwd file… very bad.


The full details can be found here. The samba developers’ response was to simply turn these options off by default. This is very inconvenient because symlinks are very useful and simply turning them off is a sloppy way of dealing with a security hole this serious.

To re-enable the symlink functionality and still provide some defence against possible exploits, do not set these two options globally (i.e. in the [global] section of your /etc/samba/smb.conf file). Instead, only set them for individual shares AND ONLY IN CONJUNCTION WITH the parameter read only = yes Finally, disable symlinks for all your shares with write access like so:

follow symlinks = no
wide links = no

This way, an attacker cannot create soft links in shares that follow symlinks (because of the read-only parameter) and a soft link to /etc/passwd created in a share with write permissions will not resolve to the remote host’s /etc/passwd file (because the share will not follow symlinks):

So far we have only fixed a security hole. To get symlinks to actually work, set this parameter in the [global] section of your /etc/samba/smb.conf file:

unix extensions = no

Here’s an example of how relevant parts of your /etc/samba/smb.conf file should look:

#======================= Global Settings =======================
[global]
unix extensions = no

#======================= Share Definitions =======================
#Allowing symlinks
[LINK]
path = /media/data/link/
read only = yes
follow symlinks = yes
wide links = yes

#Disallowing symlinks
[NOLINK]
path = /media/data/nolink/
read only = yes
follow symlinks = no
wide links = no
#==================================================================

Don’t forget to restart samba like so: sudo service smbd restart

About these ads

Responses

  1. If I only had seen this BEFORE I fixed it myself after a 5 hour trial and error! Your assumptions are all correct 100% and it works for me as well,
    I am replying to this so people will see this works and it is the correct fix.
    You might want to tag this with a few tags.

  2. best exxplanation ever for this issue. thanku very much!!!

  3. I thought you couldn’t create symlinks with unix extentions on ‘no’.
    So that way you can set the share to write without risking access to the whole disk. And I thought that’s why they don’t allow symlinks with unix extentions enabled.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: