Attachment 6883 Details for Bug 8229 – git-am fix for 3.6.1.

[patch] git-am fix for 3.6.1.

0001-Fix-bug-8229-git-patch-attached-against-3.6.0-rc2-to.patch (text/plain), 6.18 KB, created by Jeremy Allison on 2011-09-14 00:04:54 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2011-09-14 00:04:54 UTC

Size: 6.18 KB

patch

obsolete

>From 8c87e39ca081a910f5833e1111a6e46f3239c4a4 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Tue, 13 Sep 2011 17:03:46 -0700
>Subject: [PATCH] Fix bug #8229 - git patch attached against 3.6.0-rc2 to fix 'widelinks' regression intro'd in 3.2
>
>Add "allow insecure widelinks" to re-enable the ability (requested
>by some sites) to have "widelinks = yes" and "unix extensions = yes".
>
>Based on an original patch by Linda Walsh <samba@tlinx.org>
>---
> .../smbdotconf/misc/allowinsecurewidelinks.xml     |   37 ++++++++++++++++++++
> docs-xml/smbdotconf/misc/widelinks.xml             |    4 ++
> docs-xml/smbdotconf/protocol/unixextensions.xml    |    4 ++
> source3/include/proto.h                            |    1 +
> source3/param/loadparm.c                           |   23 ++++++++++++-
> 5 files changed, 68 insertions(+), 1 deletions(-)
> create mode 100644 docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml
>
>diff --git a/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml b/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml
>new file mode 100644
>index 0000000..a8a0991
>--- /dev/null
>+++ b/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml
>@@ -0,0 +1,37 @@
>+<samba:parameter name="allow insecure wide links"
>+		context="G"
>+		type="boolean"
>+		xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
>+<description>
>+	<para>
>+	In normal operation the option <smbconfoption name="wide links"/>
>+	which allows the server to follow symlinks outside of a share path
>+	is automatically disabled when <smbconfoption name="unix extensions"/>
>+	are enabled on a Samba server. This is done for security purposes
>+	to prevent UNIX clients creating symlinks to areas of the server
>+	file system that the administrator does not wish to export.
>+	</para>
>+	<para>
>+	Setting <smbconfoption name="allow insecure wide links"/> to
>+	true disables the link between these two parameters, removing
>+	this protection and allowing a site to configure
>+	the server to follow symlinks (by setting <smbconfoption name="wide links"/>
>+	to "true") even when <smbconfoption name="unix extensions"/>
>+	is turned on.
>+	</para>
>+	<para>
>+	If is not recommended to enable this option unless you
>+	fully understand the implications of allowing the server to
>+	follow symbolic links created by UNIX clients. For most
>+	normal Samba configurations this would be considered a security
>+	hole and setting this parameter is not recommended.
>+	</para>
>+	<para>
>+	This option was added at the request of sites who had
>+	deliberately set Samba up in this way and needed to continue
>+	supporting this functionality without having to patch the
>+	Samba code.
>+	</para>
>+</description>
>+<value type="default">no</value>
>+</samba:parameter>
>diff --git a/docs-xml/smbdotconf/misc/widelinks.xml b/docs-xml/smbdotconf/misc/widelinks.xml
>index 1c30bb7..da1374a 100644
>--- a/docs-xml/smbdotconf/misc/widelinks.xml
>+++ b/docs-xml/smbdotconf/misc/widelinks.xml
>@@ -17,6 +17,10 @@
> 	disabled (with a message in the log file) if the
> 	<smbconfoption name="unix extensions"/> option is on.
> 	</para>
>+	<para>
>+	See the parameter <smbconfoption name="allow insecure wide links"/>
>+	if you wish to change this coupling between the two parameters.
>+	</para>
> </description>
> 
> <value type="default">no</value>
>diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/unixextensions.xml
>index d816648..61a39cb 100644
>--- a/docs-xml/smbdotconf/protocol/unixextensions.xml
>+++ b/docs-xml/smbdotconf/protocol/unixextensions.xml
>@@ -14,6 +14,10 @@
>     Note if this parameter is turned on, the <smbconfoption name="wide links"/>
>     parameter will automatically be disabled.
>     </para>
>+    <para>
>+    See the parameter <smbconfoption name="allow insecure wide links"/>
>+    if you wish to change this coupling between the two parameters.
>+    </para>
> </description>
> 
> <value type="default">yes</value>
>diff --git a/source3/include/proto.h b/source3/include/proto.h
>index 8fdd77d..28b58b2 100644
>--- a/source3/include/proto.h
>+++ b/source3/include/proto.h
>@@ -1636,6 +1636,7 @@ bool lp_oplocks(int );
> bool lp_level2_oplocks(int );
> bool lp_onlyuser(int );
> bool lp_manglednames(const struct share_params *p );
>+bool lp_allow_insecure_widelinks(void);
> bool lp_widelinks(int );
> bool lp_symlinks(int );
> bool lp_syncalways(int );
>diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
>index bec525e..6ad2452 100644
>--- a/source3/param/loadparm.c
>+++ b/source3/param/loadparm.c
>@@ -379,6 +379,7 @@ struct global {
> 	bool bMapUntrustedToDomain;
> 	bool bAsyncSMBEchoHandler;
> 	bool bMulticastDnsRegister;
>+	bool bAllowInsecureWidelinks;
> 	int ismb2_max_read;
> 	int ismb2_max_write;
> 	int ismb2_max_trans;
>@@ -4356,6 +4357,15 @@ static struct parm_struct parm_table[] = {
> 		.flags		= FLAG_ADVANCED | FLAG_SHARE,
> 	},
> 	{
>+		.label		= "allow insecure wide links",
>+		.type		= P_BOOL,
>+		.p_class	= P_GLOBAL,
>+		.ptr		= &Globals.bAllowInsecureWidelinks,
>+		.special	= NULL,
>+		.enum_list	= NULL,
>+		.flags		= FLAG_ADVANCED,
>+	},
>+	{
> 		.label		= "wide links",
> 		.type		= P_BOOL,
> 		.p_class	= P_LOCAL,
>@@ -5996,6 +6006,7 @@ FN_LOCAL_BOOL(lp_dos_filetime_resolution, bDosFiletimeResolution)
> FN_LOCAL_BOOL(lp_fake_dir_create_times, bFakeDirCreateTimes)
> FN_GLOBAL_BOOL(lp_async_smb_echo_handler, &Globals.bAsyncSMBEchoHandler)
> FN_GLOBAL_BOOL(lp_multicast_dns_register, &Globals.bMulticastDnsRegister)
>+FN_GLOBAL_BOOL(lp_allow_insecure_widelinks, &Globals.bAllowInsecureWidelinks)
> FN_LOCAL_BOOL(lp_blocking_locks, bBlockingLocks)
> FN_LOCAL_BOOL(lp_inherit_perms, bInheritPerms)
> FN_LOCAL_BOOL(lp_inherit_acls, bInheritACLS)
>@@ -10322,6 +10333,10 @@ static bool lp_widelinks_internal(int snum)
> 
> void widelinks_warning(int snum)
> {
>+	if (lp_allow_insecure_widelinks()) {
>+		return;
>+	}
>+
> 	if (lp_unix_extensions() && lp_widelinks_internal(snum)) {
> 		DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
> 			"These parameters are incompatible. "
>@@ -10334,7 +10349,13 @@ bool lp_widelinks(int snum)
> {
> 	/* wide links is always incompatible with unix extensions */
> 	if (lp_unix_extensions()) {
>-		return false;
>+		/*
>+		 * Unless we have "allow insecure widelinks"
>+		 * turned on.
>+		 */
>+		if (!lp_allow_insecure_widelinks()) {
>+			return false;
>+		}
> 	}
> 
> 	return lp_widelinks_internal(snum);
>-- 
>1.7.3.1
>

Flags:

vl: review+

Actions: View

Attachments on bug 8229: 6575 | 6883