Samba: symlink pointing outside the shared directory tree is not visible to clients

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:



[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes

[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes


I've tried smbclient //<my hostname>/Public and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.



Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:



  • server resolves symlinks and presents them to client as regular objects; client can't create symlinks

  • server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory

How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?



P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.










share|improve this question









New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Don't use symlinks within shares at all.
    – Ipor Sircer
    Nov 19 at 6:22














up vote
0
down vote

favorite












I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:



[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes

[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes


I've tried smbclient //<my hostname>/Public and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.



Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:



  • server resolves symlinks and presents them to client as regular objects; client can't create symlinks

  • server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory

How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?



P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.










share|improve this question









New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Don't use symlinks within shares at all.
    – Ipor Sircer
    Nov 19 at 6:22












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:



[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes

[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes


I've tried smbclient //<my hostname>/Public and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.



Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:



  • server resolves symlinks and presents them to client as regular objects; client can't create symlinks

  • server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory

How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?



P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.










share|improve this question









New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I want Samba share to contain a symlink to directory outside the shared directory tree. Of course I don't want clients to be able to tamper with anything else on the server filesystem except for the shared directory tree and trees of outer directories which I symlink inside it intentionally. I've seen multiple answered similar questions here but solutions didn't work for me. My smb.conf:



[global]
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
map to guest = bad user
# I'm not going to need anything that is not supported by Windows clients anyway
unix extensions = no
# This shouldn't be necessary with unix extensions off
allow insecure wide links = yes

[Public]
path = /mnt/Shares/Public
guest ok = yes
only guest = yes
wide links = yes
# Default value, probably an obsolete setting
follow symlinks = yes


I've tried smbclient //<my hostname>/Public and Windows client, both don't list the symlink linked to outer directory at all. Symlink linked to another directory inside the shared directory is shown. Samba 4.7, running under root account and should be able to access symlinked outer directory.



Besides, I don't get the idea of symlink security in Samba. I see 2 sane ways of handling symlinks:



  • server resolves symlinks and presents them to client as regular objects; client can't create symlinks

  • server presents symlinks as-is, client resolves them; client can't access server filesystem objects outside of the share directory

How can I achieve the 1st? In the Samba manual it looks like server can allow client to create symlink which is then resolved by server, e. g. in the "follow symlinks" section. What's the point of such behavior?



P. S. So mods are ok with stupid "just do without what you're trying to achieve" comments but delete my answer describing solution of the title problem because they consider it's merely "additional information". Great. Deleted answer: it's the user that's mapped to the client (in my case it's nobody, default for guest account) that should be able to access the target directory, not the one running smbd. Still would be great to demystify the last question.







symlink samba samba4






share|improve this question









New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Nov 19 at 14:12





















New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 19 at 5:30









Eugene Shatsky

11




11




New contributor




Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Eugene Shatsky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Don't use symlinks within shares at all.
    – Ipor Sircer
    Nov 19 at 6:22
















  • Don't use symlinks within shares at all.
    – Ipor Sircer
    Nov 19 at 6:22















Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22




Don't use symlinks within shares at all.
– Ipor Sircer
Nov 19 at 6:22















active

oldest

votes











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482671%2fsamba-symlink-pointing-outside-the-shared-directory-tree-is-not-visible-to-clie%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes








Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.












Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.











Eugene Shatsky is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482671%2fsamba-symlink-pointing-outside-the-shared-directory-tree-is-not-visible-to-clie%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?