The Samba-Bugzilla – Bug 5116
CIFS symlinks allow arbitrary access to filesystem
Last modified: 2010-06-02 08:37:02 UTC
When "wide links" is enabled (which is the default) on a writable share, a user can create a symlink using the Unix extensions to point to an arbitrary, user-specified location in the filesystem (e.g. "/"). Then, another user can access it using a client without Unix extensions support (e.g. from Windows), and the server would follow the symlink, exposing files on the arbitrary location on the filesystem.
I have reproduced this on Samba 3.0.24 and Samba 3.0.26a. I don't know how far down it goes; but I suspect that it exists in the latest versions.
Of course, the filesystem access is still under the permissions of the (hopefully limited) user who is configured to access the share, so it cannot do much direct damage. Nevertheless, it exposes a lot of world-readable system information which could potentially be used for other exploits.
Steps to reproduce:
1. mount the share with the CIFS driver (unix extensions on)
2. create a symlink in a location where the user is allowed to create files, the target being "/", or any other arbitrary location outside the share
3. mount the share from Windows XP
4. go to and open the link
5. see that you now have access to the root of the filesystem (or wherever you placed the link to)
This is the law of unintended consequences. :-). All options are acting as expected, just the combination may be unexpected to the unwary. The ways to fix this are to disable unix extensions by default, or disable wide links by default. Both of which I'm loath to do out of the box. Do you have any other suggestions ?
My suggestion would be to not let the unix extensions create wide links by default. If they are there, follow them (wide links = yes), but when creating them check the target. "wide links = create" might be the option to activate creating wide links also.
I think this bug is relevant(In reply to comment #2)
> My suggestion would be to not let the unix extensions create wide links by
> default. If they are there, follow them (wide links = yes), but when creating
> them check the target. "wide links = create" might be the option to activate
> creating wide links also.
this would be a better solution without disabling the the unix extensions. What
is now necessary as the fixes of this bug https://bugzilla.samba.org/show_bug.cgi?id=7104 forces to do so.