summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2011-09-13 16:42:09 -0700
committerJeremy Allison <jra@samba.org>2011-09-14 03:55:45 +0200
commitfbbfdbd64818252784e9ba2ab87af3a02bacde22 (patch)
treec1bc314c351dfe6bbfdfb4b7b27712e271430cb7 /docs-xml/smbdotconf
parent84a4289b5236e38ab0afc6ef3c784d202c6b3c2c (diff)
downloadsamba-fbbfdbd64818252784e9ba2ab87af3a02bacde22.tar.gz
samba-fbbfdbd64818252784e9ba2ab87af3a02bacde22.tar.bz2
samba-fbbfdbd64818252784e9ba2ab87af3a02bacde22.zip
Fix bug #8229 - git patch attached against 3.6.0-rc2 to fix 'widelinks' regression intro'd in 3.2
Add "allow insecure widelinks" to re-enable the ability (requested by some sites) to have "widelinks = yes" and "unix extensions = yes". Based on an original patch by Linda Walsh <samba@tlinx.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Sep 14 03:55:45 CEST 2011 on sn-devel-104
Diffstat (limited to 'docs-xml/smbdotconf')
-rw-r--r--docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml37
-rw-r--r--docs-xml/smbdotconf/misc/widelinks.xml4
-rw-r--r--docs-xml/smbdotconf/protocol/unixextensions.xml4
3 files changed, 45 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml b/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml
new file mode 100644
index 0000000000..a8a099190b
--- /dev/null
+++ b/docs-xml/smbdotconf/misc/allowinsecurewidelinks.xml
@@ -0,0 +1,37 @@
+<samba:parameter name="allow insecure wide links"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ In normal operation the option <smbconfoption name="wide links"/>
+ which allows the server to follow symlinks outside of a share path
+ is automatically disabled when <smbconfoption name="unix extensions"/>
+ are enabled on a Samba server. This is done for security purposes
+ to prevent UNIX clients creating symlinks to areas of the server
+ file system that the administrator does not wish to export.
+ </para>
+ <para>
+ Setting <smbconfoption name="allow insecure wide links"/> to
+ true disables the link between these two parameters, removing
+ this protection and allowing a site to configure
+ the server to follow symlinks (by setting <smbconfoption name="wide links"/>
+ to "true") even when <smbconfoption name="unix extensions"/>
+ is turned on.
+ </para>
+ <para>
+ If is not recommended to enable this option unless you
+ fully understand the implications of allowing the server to
+ follow symbolic links created by UNIX clients. For most
+ normal Samba configurations this would be considered a security
+ hole and setting this parameter is not recommended.
+ </para>
+ <para>
+ This option was added at the request of sites who had
+ deliberately set Samba up in this way and needed to continue
+ supporting this functionality without having to patch the
+ Samba code.
+ </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/misc/widelinks.xml b/docs-xml/smbdotconf/misc/widelinks.xml
index 1c30bb768a..da1374afab 100644
--- a/docs-xml/smbdotconf/misc/widelinks.xml
+++ b/docs-xml/smbdotconf/misc/widelinks.xml
@@ -17,6 +17,10 @@
disabled (with a message in the log file) if the
<smbconfoption name="unix extensions"/> option is on.
</para>
+ <para>
+ See the parameter <smbconfoption name="allow insecure wide links"/>
+ if you wish to change this coupling between the two parameters.
+ </para>
</description>
<value type="default">no</value>
diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/unixextensions.xml
index d816648836..61a39cb763 100644
--- a/docs-xml/smbdotconf/protocol/unixextensions.xml
+++ b/docs-xml/smbdotconf/protocol/unixextensions.xml
@@ -14,6 +14,10 @@
Note if this parameter is turned on, the <smbconfoption name="wide links"/>
parameter will automatically be disabled.
</para>
+ <para>
+ See the parameter <smbconfoption name="allow insecure wide links"/>
+ if you wish to change this coupling between the two parameters.
+ </para>
</description>
<value type="default">yes</value>