Can the Samba security setting `wide links` be bypassed using a race condition?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















Apache has options FollowSymLinks and SymLinksIfOwnerMatch. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:



Samba has an option called wide links :




Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.



See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.




Can the Samba option be bypassed via a race condition?



If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?










share|improve this question






























    1















    Apache has options FollowSymLinks and SymLinksIfOwnerMatch. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:



    Samba has an option called wide links :




    Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.



    See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.




    Can the Samba option be bypassed via a race condition?



    If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?










    share|improve this question


























      1












      1








      1








      Apache has options FollowSymLinks and SymLinksIfOwnerMatch. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:



      Samba has an option called wide links :




      Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.



      See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.




      Can the Samba option be bypassed via a race condition?



      If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?










      share|improve this question
















      Apache has options FollowSymLinks and SymLinksIfOwnerMatch. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:



      Samba has an option called wide links :




      Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.



      See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.




      Can the Samba option be bypassed via a race condition?



      If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?







      security samba






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 8 at 18:35







      sourcejedi

















      asked Mar 8 at 16:50









      sourcejedisourcejedi

      25.6k445112




      25.6k445112




















          1 Answer
          1






          active

          oldest

          votes


















          2














          It certainly was vulnerable. See CVE-2017-2619.



          The patch for this bug includes a new function, called open_dir_safely(). It uses chdir() to enter the directory that contains the file to be opened.



          I guess this means you can use getcwd(), to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd(). I have not confirmed exactly what Samba does after chdir().



          This is not great if your process has multiple threads, because chdir() affects the whole process :-). Linux-specific programs could instead use open() with the O_PATH flag, and then use readlink() on the open file descriptor under /proc/self/fd/.



          The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open(), you can use the O_NOFOLLOW flag. If it is a symlink, open() will return ELOOP. Then you may readlink() the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).



          If you have to repeat the procedure "too many" times, then you can return failure (ELOOP again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW) and readlink()).



          On a non-Linux OS, you might not have a very efficient getcwd(). If you have O_PATH, then you can avoid getcwd() by iterating through every segment of the path, using O_PATH + O_NOFOLLOW and manually resolving links.



          In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.






          share|improve this answer

























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505170%2fcan-the-samba-security-setting-wide-links-be-bypassed-using-a-race-condition%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2














            It certainly was vulnerable. See CVE-2017-2619.



            The patch for this bug includes a new function, called open_dir_safely(). It uses chdir() to enter the directory that contains the file to be opened.



            I guess this means you can use getcwd(), to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd(). I have not confirmed exactly what Samba does after chdir().



            This is not great if your process has multiple threads, because chdir() affects the whole process :-). Linux-specific programs could instead use open() with the O_PATH flag, and then use readlink() on the open file descriptor under /proc/self/fd/.



            The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open(), you can use the O_NOFOLLOW flag. If it is a symlink, open() will return ELOOP. Then you may readlink() the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).



            If you have to repeat the procedure "too many" times, then you can return failure (ELOOP again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW) and readlink()).



            On a non-Linux OS, you might not have a very efficient getcwd(). If you have O_PATH, then you can avoid getcwd() by iterating through every segment of the path, using O_PATH + O_NOFOLLOW and manually resolving links.



            In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.






            share|improve this answer





























              2














              It certainly was vulnerable. See CVE-2017-2619.



              The patch for this bug includes a new function, called open_dir_safely(). It uses chdir() to enter the directory that contains the file to be opened.



              I guess this means you can use getcwd(), to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd(). I have not confirmed exactly what Samba does after chdir().



              This is not great if your process has multiple threads, because chdir() affects the whole process :-). Linux-specific programs could instead use open() with the O_PATH flag, and then use readlink() on the open file descriptor under /proc/self/fd/.



              The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open(), you can use the O_NOFOLLOW flag. If it is a symlink, open() will return ELOOP. Then you may readlink() the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).



              If you have to repeat the procedure "too many" times, then you can return failure (ELOOP again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW) and readlink()).



              On a non-Linux OS, you might not have a very efficient getcwd(). If you have O_PATH, then you can avoid getcwd() by iterating through every segment of the path, using O_PATH + O_NOFOLLOW and manually resolving links.



              In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.






              share|improve this answer



























                2












                2








                2







                It certainly was vulnerable. See CVE-2017-2619.



                The patch for this bug includes a new function, called open_dir_safely(). It uses chdir() to enter the directory that contains the file to be opened.



                I guess this means you can use getcwd(), to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd(). I have not confirmed exactly what Samba does after chdir().



                This is not great if your process has multiple threads, because chdir() affects the whole process :-). Linux-specific programs could instead use open() with the O_PATH flag, and then use readlink() on the open file descriptor under /proc/self/fd/.



                The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open(), you can use the O_NOFOLLOW flag. If it is a symlink, open() will return ELOOP. Then you may readlink() the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).



                If you have to repeat the procedure "too many" times, then you can return failure (ELOOP again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW) and readlink()).



                On a non-Linux OS, you might not have a very efficient getcwd(). If you have O_PATH, then you can avoid getcwd() by iterating through every segment of the path, using O_PATH + O_NOFOLLOW and manually resolving links.



                In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.






                share|improve this answer















                It certainly was vulnerable. See CVE-2017-2619.



                The patch for this bug includes a new function, called open_dir_safely(). It uses chdir() to enter the directory that contains the file to be opened.



                I guess this means you can use getcwd(), to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd(). I have not confirmed exactly what Samba does after chdir().



                This is not great if your process has multiple threads, because chdir() affects the whole process :-). Linux-specific programs could instead use open() with the O_PATH flag, and then use readlink() on the open file descriptor under /proc/self/fd/.



                The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open(), you can use the O_NOFOLLOW flag. If it is a symlink, open() will return ELOOP. Then you may readlink() the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).



                If you have to repeat the procedure "too many" times, then you can return failure (ELOOP again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW) and readlink()).



                On a non-Linux OS, you might not have a very efficient getcwd(). If you have O_PATH, then you can avoid getcwd() by iterating through every segment of the path, using O_PATH + O_NOFOLLOW and manually resolving links.



                In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Mar 8 at 18:34

























                answered Mar 8 at 18:14









                sourcejedisourcejedi

                25.6k445112




                25.6k445112



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505170%2fcan-the-samba-security-setting-wide-links-be-bypassed-using-a-race-condition%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown






                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?