The Samba-Bugzilla – Attachment 6575 Details for
Bug 8229
git patch attached against 3.6.0-rc2 to fix 'widelinks' regression intro'd in 3.2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git patch as text file
clientmanagedwidelinks.patch (text/plain), 7.14 KB, created by
Linda Walsh
on 2011-06-13 20:51:24 UTC
(
hide
)
Description:
git patch as text file
Filename:
MIME Type:
Creator:
Linda Walsh
Created:
2011-06-13 20:51:24 UTC
Size:
7.14 KB
patch
obsolete
>From f97bacf54db1b8d81e0f8f6372f7c6ee628d60ea Mon Sep 17 00:00:00 2001 >From: L.A. Walsh <samba@tlinx.org> >Date: Sun, 12 Jun 2011 17:02:40 -0700 >Subject: [PATCH 1/2] client-managed-widelinks patch+doc changes > >--- > .../smbdotconf/misc/clientmanagedwidelinks.xml | 34 ++++++++++++++++++++ > 1 files changed, 34 insertions(+), 0 deletions(-) > create mode 100644 docs-xml/smbdotconf/misc/clientmanagedwidelinks.xml > >diff --git a/docs-xml/smbdotconf/misc/clientmanagedwidelinks.xml b/docs-xml/smbdotconf/misc/clientmanagedwidelinks.xml >new file mode 100644 >index 0000000..655a1e7 >--- /dev/null >+++ b/docs-xml/smbdotconf/misc/clientmanagedwidelinks.xml >@@ -0,0 +1,34 @@ >+<samba:parameter name="client managed wide links" >+ context="G" >+ type="boolean" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ This parameter can allow users on client systems to manage >+ the <smbconfoption name="wide links"/> created on a server. In >+ order to do this, <smbconfoption name="unix extensions"/> must also >+ be "on". Normally, <smbconfoption name="wide links"/> and >+ <smbconfoption name="unix extensions"/> may not be "on" or "true" >+ at the same time, but this parameter specifically allows it. >+ >+ This parameter creates similar security issues as allowing >+ the same userid to have a local account on the server, where, they >+ could manage/create symlinks that point to objects (files, >+ directories, sockets, ... any unix file type) on disparate parts of >+ the system, both on shared and unshared parts of the system. Unix >+ users have had this ability 'forever', it's controlled by normal user >+ file permissions. A symlink to /etc/shadow still won't be readable >+ (let alone writable) by 'everyone', but only by 'root' and it's >+ owning group. >+ >+ If your users have local accounts on the server, this >+ parameter should provide no decrease in security. Users won't be >+ able to create links in shares that they don't already have access >+ to running as their user. If they have server admin priviledges >+ or 'Domain Admin' priviledges, they they may have write access to >+ any share as permitted by those priviledges. >+ </para> >+</description> >+ >+<value type="default">no</value> >+</samba:parameter> >-- >1.7.3.4 > > >From af3cef511d6aaa9dc812ec09ac5b4141ad78fd07 Mon Sep 17 00:00:00 2001 >From: L.A. Walsh <samba@tlinx.org> >Date: Sun, 12 Jun 2011 17:11:57 -0700 >Subject: [PATCH 2/2] client-managed-widelinks patch+doc changes2 > >--- > docs-xml/smbdotconf/misc/widelinks.xml | 15 ++++++++------- > docs-xml/smbdotconf/protocol/unixextensions.xml | 4 +++- > source3/param/loadparm.c | 22 +++++++++++++++++----- > 3 files changed, 28 insertions(+), 13 deletions(-) > >diff --git a/docs-xml/smbdotconf/misc/widelinks.xml b/docs-xml/smbdotconf/misc/widelinks.xml >index 1c30bb7..63a1a60 100644 >--- a/docs-xml/smbdotconf/misc/widelinks.xml >+++ b/docs-xml/smbdotconf/misc/widelinks.xml >@@ -5,17 +5,18 @@ > <description> > <para>This parameter controls whether or not links > in the UNIX file system may be followed by the server. Links >- that point to areas within the directory tree exported by the >- server are always allowed; this parameter controls access only >- to areas that are outside the directory tree being exported.</para> >+ that point to areas within the the same share are always allowed; >+ this parameter controls access only >+ to areas that are outside the specific Share.</para> > > <para>Note: Turning this parameter on when UNIX extensions are enabled > will allow UNIX clients to create symbolic links on the share that >- can point to files or directories outside restricted path exported >- by the share definition. This can cause access to areas outside of >- the share. Due to this problem, this parameter will be automatically >+ can point to files or directories outside restricted path(s) exported >+ by the share definitions. This can cause access to areas outside of >+ the share. Due to this problem, this parameter is automatically > disabled (with a message in the log file) if the >- <smbconfoption name="unix extensions"/> option is on. >+ <smbconfoption name="unix extensions"/> option is on unless >+ <smbconfoption name="client managed wide links"/> is also on. > </para> > </description> > >diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/unixextensions.xml >index d816648..4475c30 100644 >--- a/docs-xml/smbdotconf/protocol/unixextensions.xml >+++ b/docs-xml/smbdotconf/protocol/unixextensions.xml >@@ -11,7 +11,9 @@ > These extensions require a similarly enabled client, and are of > no current use to Windows clients.</para> > <para> >- Note if this parameter is turned on, the <smbconfoption name="wide links"/> >+ Note if this parameter is turned on, and the >+ <smbconfoption name="client managed wide links"> is not explicitly >+ turned on, the <smbconfoption name="wide links"/> > parameter will automatically be disabled. > </para> > </description> >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 77b67f1..5dbd3b1 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -351,6 +351,7 @@ struct global { > bool bHostMSDfs; > bool bUseMmap; > bool bHostnameLookups; >+ bool bClientManagedWidelinks; > bool bUnixExtensions; > bool bDisableNetbios; > char * szDedicatedKeytabFile; >@@ -961,6 +962,15 @@ static struct parm_struct parm_table[] = { > .flags = FLAG_ADVANCED > }, > { >+ .label = "client managed wide links", >+ .type = P_BOOL, >+ .p_class = P_GLOBAL, >+ .ptr = &Globals.bClientManagedWidelinks, >+ .special = NULL, >+ .enum_list = NULL, >+ .flags = FLAG_ADVANCED >+ }, >+ { > .label = "unix charset", > .type = P_STRING, > .p_class = P_GLOBAL, >@@ -5338,6 +5348,7 @@ static void init_globals(bool reinit_globals) > #else > Globals.bUseMmap = True; > #endif >+ Globals.bClientManagedWidelinks = False; > Globals.bUnixExtensions = True; > Globals.bResetOnZeroVC = False; > Globals.bLogWriteableFilesOnExit = False; >@@ -5816,6 +5827,7 @@ FN_GLOBAL_BOOL(lp_kernel_oplocks, &Globals.bKernelOplocks) > FN_GLOBAL_BOOL(lp_enhanced_browsing, &Globals.enhanced_browsing) > FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap) > FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions) >+FN_GLOBAL_BOOL(lp_client_managed_widelinks, &Globals.bClientManagedWidelinks) > FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego) > FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego) > FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal) >@@ -10289,6 +10301,7 @@ static bool lp_widelinks_internal(int snum) > > void widelinks_warning(int snum) > { >+ if (lp_client_managed_widelinks()) return; > if (lp_unix_extensions() && lp_widelinks_internal(snum)) { > DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " > "These parameters are incompatible. " >@@ -10299,12 +10312,11 @@ void widelinks_warning(int snum) > > bool lp_widelinks(int snum) > { >- /* wide links is always incompatible with unix extensions */ >- if (lp_unix_extensions()) { >- return false; >- } > >- return lp_widelinks_internal(snum); >+ if (lp_client_managed_widelinks() >+ || !lp_unix_extensions()) return lp_widelinks_internal(snum); >+ >+ return false; > } > > bool lp_writeraw(void) >-- >1.7.3.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6575">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 8229
:
6575
|
6883