Bug 8318 - Allowing wide links = yes and unix extensions = yes
Summary: Allowing wide links = yes and unix extensions = yes
Status: RESOLVED DUPLICATE of bug 8229
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Config Files (show other bugs)
Version: 3.4.9
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-23 15:07 UTC by Mario Klebsch
Modified: 2011-07-25 18:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mario Klebsch 2011-07-23 15:07:26 UTC
I read a lot about security concerns having lead to the decision that samba does not allow wide links=yes and unix extensions=yes. The ability of a client to read /etc/passwd is given as an example of the security problem, that justifies smbds code ignores the admins settings and turns off wide links.

BUT: Every user of a UNIX system can read /etc/passwd, being able to read this file is NOT a security problem, but part of UNIXs design!!!

If it is not a security problem, setting these two options this way should not be made impossible by the code. I have seen lots of postings from people, having problems due to this code. I even have seen suggestions to allow this presumably insecure option al admins explicit will, but they have been rejected. The only (at leas partial) useful tip to those admins was, to change sambas source code and remove this unwanted restriction.

UNIX systems have a long tradition of not kindergarening the admin and I am sure, a request to change chmod(1) or (2) to protect /etc/passwd from being chmod()ed to 777 would not make it into the linux kernel nor into userland tools.

73, Mario
Comment 1 Karolin Seeger 2011-07-24 18:16:43 UTC
Re-assigning to Jeremy.
Comment 2 Jeremy Allison 2011-07-25 18:29:52 UTC
We already have a patch for this. I will evaluate for 3.6.1. It's too late to put into 3.6.0 final.

Jeremy.

*** This bug has been marked as a duplicate of bug 8229 ***