Wednesday, August 31, 2016

Permit samba to follow symbolic links to an unshared mount

I'm posting this because if you google for the answer you end up getting out of date answers and the wrong commands.

What I wanted to do was simply make a symbolic link from my samba shared directory /storage to /home.
server:/storage# ls -l /storage/
lrwxrwxrwx  1 root    root     5 Mar 13 14:14 home -> /home
drwxr-x---  4 michael users 4096 Mar  9 00:33 music
drwxr-xr-x  5 michael users 4096 Mar  9 00:33 photos

The Solution

Samba won't let users follow a symbolic link if the link points to a place outside of (i.e. not under) the share defined in smb.conf. This kind of symbolic link is insecure because a user could set up a symbolic link to point to anywhere in the file system and attain access to it. Yep, that's pretty appalling if you have users who you don't know or trust. But this is my home network, so user level security is not a concern for me.

The smb.conf man page explains it like so:
Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.
The solution didn't even require google, I should have just read the manual to start off with. Here's the amendments to the smb.conf global section:
[global]
        # default
        follow symlinks = yes
        # allow symlinks
        wide links = yes
        # Must be off for wide links
        unix extensions = no 
After restarting samba, no problem.

Samba Security

A couple of tips relating to security. I use passwords on my accounts and disable the root user. Also, I make sure that if someone does gain access to the home network (somehow getting our WPA PSK), then only the permitted (authenticated) users can mount the Samba share.

My eth1 is excluded from the bind interfaces because eth1 is attached to a cable modem, effectively connecting the machine directly to the rest of the world. I don't want the samba server to make itself available to the Internet.

Note: Setting up user passwords and authentication is not described below.

[global]
        invalid users = root
        interfaces = eth0 eth2 lo
        bind interfaces only = yes

...

[storage]
comment = Storage
path = /storage
valid users = usera userb
guest ok = No
read only = No
browseable = Yes
available = Yes

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Thank you for the explanation. I too have an internal home setup with wide open resources. This worked perfectly.

    ReplyDelete