Samba: symlink pointing outside the shared directory tree is not visible to clients
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:
[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes
[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes
I've tried smbclient //<my hostname>/Public
and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.
Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:
- server resolves symlinks and presents them to client as regular objects; client can't create symlinks
- server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory
How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?
P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody
, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.
symlink samba samba4
New contributor
add a comment |
up vote
0
down vote
favorite
I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:
[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes
[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes
I've tried smbclient //<my hostname>/Public
and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.
Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:
- server resolves symlinks and presents them to client as regular objects; client can't create symlinks
- server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory
How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?
P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody
, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.
symlink samba samba4
New contributor
Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:
[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes
[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes
I've tried smbclient //<my hostname>/Public
and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.
Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:
- server resolves symlinks and presents them to client as regular objects; client can't create symlinks
- server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory
How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?
P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody
, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.
symlink samba samba4
New contributor
I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:
[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes
[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes
I've tried smbclient //<my hostname>/Public
and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.
Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:
- server resolves symlinks and presents them to client as regular objects; client can't create symlinks
- server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory
How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?
P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody
, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.
symlink samba samba4
symlink samba samba4
New contributor
New contributor
edited Nov 19 at 14:12
New contributor
asked Nov 19 at 5:30
Eugene Shatsky
11
11
New contributor
New contributor
Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22
add a comment |
Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22
Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22
Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.
Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.
Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.
Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482671%2fsamba-symlink-pointing-outside-the-shared-directory-tree-is-not-visible-to-clie%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22