Add support of insecure wide links
This commit is contained in:
@@ -269,6 +269,30 @@
|
||||
# public shares, not just authenticated ones
|
||||
usershare allow guests = yes
|
||||
|
||||
# In normal operation the option wide links which allows the server to follow
|
||||
# symlinks outside of a share path is automatically disabled when unix extensions
|
||||
# are enabled on a Samba server. This is done for security purposes to prevent
|
||||
# UNIX clients creating symlinks to areas of the server file system that the
|
||||
# administrator does not wish to export.
|
||||
#
|
||||
# Setting allow insecure wide links to true disables the link between these two
|
||||
# parameters, removing this protection and allowing a site to configure the server
|
||||
# to follow symlinks (by setting wide links to "true") even when unix extensions is
|
||||
# turned on.
|
||||
#
|
||||
# It is not recommended to enable this option unless you fully understand the
|
||||
# implications of allowing the server to follow symbolic links created by UNIX clients.
|
||||
# For most normal Samba configurations this would be considered a security hole and
|
||||
# setting this parameter is not recommended.
|
||||
#
|
||||
# This option was added at the request of sites who had deliberately set Samba up
|
||||
# in this way and needed to continue supporting this functionality without having to
|
||||
# patch the Samba code.
|
||||
#
|
||||
# Default: allow insecure wide links = no
|
||||
#
|
||||
allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }}
|
||||
|
||||
#======================= Share Definitions =======================
|
||||
|
||||
# {{ ansible_managed }}
|
||||
@@ -368,6 +392,26 @@
|
||||
|
||||
force group = +{{ item.group_write_list }}
|
||||
{% endif %}
|
||||
{%- if item.wide_links is defined and item.wide_links|length > 0 %}
|
||||
# This parameter controls whether or not links in the UNIX file system may be
|
||||
# followed by the server. Links that point to areas within the directory tree
|
||||
# exported by the server are always allowed; this parameter controls access only to
|
||||
# areas that are outside the directory tree being exported.
|
||||
#
|
||||
# Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
|
||||
# clients to create symbolic links on the share that can point to files or
|
||||
# directories outside restricted path exported by the share definition. This can
|
||||
# cause access to areas outside of the share. Due to this problem, this paramete
|
||||
# will be automatically disabled (with a message in the log file) if the unix
|
||||
# extensions option is on.
|
||||
#
|
||||
# See the parameter allow insecure wide links if you wish to change this coupling
|
||||
# between the two parameters.
|
||||
#
|
||||
# Default: wide links = no
|
||||
#
|
||||
wide links = yes
|
||||
{% endif %}
|
||||
{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
|
||||
{% if item.recycle_path is defined and item.recycle_path|length > 0 %}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user