The Samba-Bugzilla – Attachment 6883 Details for
Bug 8229
git patch attached against 3.6.0-rc2 to fix 'widelinks' regression intro'd in 3.2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 3.6.1.
0001-Fix-bug-8229-git-patch-attached-against-3.6.0-rc2-to.patch (text/plain), 6.18 KB, created by
Jeremy Allison
on 2011-09-14 00:04:54 UTC
(
hide
)
Description:
git-am fix for 3.6.1.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2011-09-14 00:04:54 UTC
Size:
6.18 KB
patch
obsolete
>From 8c87e39ca081a910f5833e1111a6e46f3239c4a4 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 13 Sep 2011 17:03:46 -0700 >Subject: [PATCH] Fix bug #8229 - git patch attached against 3.6.0-rc2 to fix 'widelinks' regression intro'd in 3.2 > >Add "allow insecure widelinks" to re-enable the ability (requested >by some sites) to have "widelinks = yes" and "unix extensions = yes". > >Based on an original patch by Linda Walsh <samba@tlinx.org> >--- > .../smbdotconf/misc/allowinsecurewidelinks.xml | 37 ++++++++++++++++++++ > docs-xml/smbdotconf/misc/widelinks.xml | 4 ++ > docs-xml/smbdotconf/protocol/unixextensions.xml | 4 ++ > source3/include/proto.h | 1 + > source3/param/loadparm.c | 23 ++++++++++++- > 5 files changed, 68 insertions(+), 1 deletions(-) > create mode 100644 docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml > >diff --git a/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml b/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml >new file mode 100644 >index 0000000..a8a0991 >--- /dev/null >+++ b/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml >@@ -0,0 +1,37 @@ >+<samba:parameter name="allow insecure wide links" >+ context="G" >+ type="boolean" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ In normal operation the option <smbconfoption name="wide links"/> >+ which allows the server to follow symlinks outside of a share path >+ is automatically disabled when <smbconfoption name="unix extensions"/> >+ are enabled on a Samba server. This is done for security purposes >+ to prevent UNIX clients creating symlinks to areas of the server >+ file system that the administrator does not wish to export. >+ </para> >+ <para> >+ Setting <smbconfoption name="allow insecure wide links"/> to >+ true disables the link between these two parameters, removing >+ this protection and allowing a site to configure >+ the server to follow symlinks (by setting <smbconfoption name="wide links"/> >+ to "true") even when <smbconfoption name="unix extensions"/> >+ is turned on. >+ </para> >+ <para> >+ If is not recommended to enable this option unless you >+ fully understand the implications of allowing the server to >+ follow symbolic links created by UNIX clients. For most >+ normal Samba configurations this would be considered a security >+ hole and setting this parameter is not recommended. >+ </para> >+ <para> >+ This option was added at the request of sites who had >+ deliberately set Samba up in this way and needed to continue >+ supporting this functionality without having to patch the >+ Samba code. >+ </para> >+</description> >+<value type="default">no</value> >+</samba:parameter> >diff --git a/docs-xml/smbdotconf/misc/widelinks.xml b/docs-xml/smbdotconf/misc/widelinks.xml >index 1c30bb7..da1374a 100644 >--- a/docs-xml/smbdotconf/misc/widelinks.xml >+++ b/docs-xml/smbdotconf/misc/widelinks.xml >@@ -17,6 +17,10 @@ > disabled (with a message in the log file) if the > <smbconfoption name="unix extensions"/> option is on. > </para> >+ <para> >+ See the parameter <smbconfoption name="allow insecure wide links"/> >+ if you wish to change this coupling between the two parameters. >+ </para> > </description> > > <value type="default">no</value> >diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/unixextensions.xml >index d816648..61a39cb 100644 >--- a/docs-xml/smbdotconf/protocol/unixextensions.xml >+++ b/docs-xml/smbdotconf/protocol/unixextensions.xml >@@ -14,6 +14,10 @@ > Note if this parameter is turned on, the <smbconfoption name="wide links"/> > parameter will automatically be disabled. > </para> >+ <para> >+ See the parameter <smbconfoption name="allow insecure wide links"/> >+ if you wish to change this coupling between the two parameters. >+ </para> > </description> > > <value type="default">yes</value> >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 8fdd77d..28b58b2 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1636,6 +1636,7 @@ bool lp_oplocks(int ); > bool lp_level2_oplocks(int ); > bool lp_onlyuser(int ); > bool lp_manglednames(const struct share_params *p ); >+bool lp_allow_insecure_widelinks(void); > bool lp_widelinks(int ); > bool lp_symlinks(int ); > bool lp_syncalways(int ); >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index bec525e..6ad2452 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -379,6 +379,7 @@ struct global { > bool bMapUntrustedToDomain; > bool bAsyncSMBEchoHandler; > bool bMulticastDnsRegister; >+ bool bAllowInsecureWidelinks; > int ismb2_max_read; > int ismb2_max_write; > int ismb2_max_trans; >@@ -4356,6 +4357,15 @@ static struct parm_struct parm_table[] = { > .flags = FLAG_ADVANCED | FLAG_SHARE, > }, > { >+ .label = "allow insecure wide links", >+ .type = P_BOOL, >+ .p_class = P_GLOBAL, >+ .ptr = &Globals.bAllowInsecureWidelinks, >+ .special = NULL, >+ .enum_list = NULL, >+ .flags = FLAG_ADVANCED, >+ }, >+ { > .label = "wide links", > .type = P_BOOL, > .p_class = P_LOCAL, >@@ -5996,6 +6006,7 @@ FN_LOCAL_BOOL(lp_dos_filetime_resolution, bDosFiletimeResolution) > FN_LOCAL_BOOL(lp_fake_dir_create_times, bFakeDirCreateTimes) > FN_GLOBAL_BOOL(lp_async_smb_echo_handler, &Globals.bAsyncSMBEchoHandler) > FN_GLOBAL_BOOL(lp_multicast_dns_register, &Globals.bMulticastDnsRegister) >+FN_GLOBAL_BOOL(lp_allow_insecure_widelinks, &Globals.bAllowInsecureWidelinks) > FN_LOCAL_BOOL(lp_blocking_locks, bBlockingLocks) > FN_LOCAL_BOOL(lp_inherit_perms, bInheritPerms) > FN_LOCAL_BOOL(lp_inherit_acls, bInheritACLS) >@@ -10322,6 +10333,10 @@ static bool lp_widelinks_internal(int snum) > > void widelinks_warning(int snum) > { >+ if (lp_allow_insecure_widelinks()) { >+ return; >+ } >+ > if (lp_unix_extensions() && lp_widelinks_internal(snum)) { > DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " > "These parameters are incompatible. " >@@ -10334,7 +10349,13 @@ bool lp_widelinks(int snum) > { > /* wide links is always incompatible with unix extensions */ > if (lp_unix_extensions()) { >- return false; >+ /* >+ * Unless we have "allow insecure widelinks" >+ * turned on. >+ */ >+ if (!lp_allow_insecure_widelinks()) { >+ return false; >+ } > } > > return lp_widelinks_internal(snum); >-- >1.7.3.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 8229
:
6575
| 6883