Bug 5116 - CIFS symlinks allow arbitrary access to filesystem
Summary: CIFS symlinks allow arbitrary access to filesystem
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.26a
Hardware: All Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-02 06:59 UTC by ZeruelX of Zinj
Modified: 2021-01-04 16:47 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ZeruelX of Zinj 2007-12-02 06:59:41 UTC 
When "wide links" is enabled (which is the default) on a writable share, a user can create a symlink using the Unix extensions to point to an arbitrary, user-specified location in the filesystem (e.g. "/"). Then, another user can access it using a client without Unix extensions support (e.g. from Windows), and the server would follow the symlink, exposing files on the arbitrary location on the filesystem.

I have reproduced this on Samba 3.0.24 and Samba 3.0.26a. I don't know how far down it goes; but I suspect that it exists in the latest versions.

Of course, the filesystem access is still under the permissions of the (hopefully limited) user who is configured to access the share, so it cannot do much direct damage. Nevertheless, it exposes a lot of world-readable system information which could potentially be used for other exploits.

Steps to reproduce:
1. mount the share with the CIFS driver (unix extensions on)
2. create a symlink in a location where the user is allowed to create files, the target being "/", or any other arbitrary location outside the share
3. mount the share from Windows XP
4. go to and open the link
5. see that you now have access to the root of the filesystem (or wherever you placed the link to)
Comment 1 Jeremy Allison 2007-12-02 23:53:47 UTC 
This is the law of unintended consequences. :-). All options are acting as expected, just the combination may be unexpected to the unwary. The ways to fix this are to disable unix extensions by default, or disable wide links by default. Both of which I'm loath to do out of the box. Do you have any other suggestions ?

Jeremy.
Comment 2 Volker Lendecke 2007-12-03 00:44:04 UTC 
My suggestion would be to not let the unix extensions create wide links by default. If they are there, follow them (wide links = yes), but when creating them check the target. "wide links = create" might be the option to activate creating wide links also.

Volker
Comment 3 Frieder Buerzele 2010-06-02 08:37:02 UTC 
I think this bug is relevant(In reply to comment #2)
> My suggestion would be to not let the unix extensions create wide links by
> default. If they are there, follow them (wide links = yes), but when creating
> them check the target. "wide links = create" might be the option to activate
> creating wide links also.
> 
> Volker
> 

this would be a better solution without disabling the the unix extensions. What
is now necessary as the fixes of this bug https://bugzilla.samba.org/show_bug.cgi?id=7104 forces to do so.
Comment 4 Björn Jacke 2021-01-04 16:47:55 UTC 
symlink handling was hardened in the meantime