diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index fa45911..2647cb1 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2941,6 +2941,10 @@ samba_netbios_name: # samba_server_min_protocol: [] +# samba_allow_insecure_wide_links +# +samba_allow_insecure_wide_links: !!str no + samba_groups: [] # samba_user: diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 99d2dda..84ed7f2 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -203,6 +203,8 @@ samba_netbios_name: ZAPATA samba_server_min_protocol: !!str NT1 +samba_allow_insecure_wide_links: !!str yes + samba_groups: - name: buero group_id: 1100 @@ -412,6 +414,7 @@ samba_shares: group_write_list: buero file_create_mask: !!str 660 dir_create_mask: !!str 2770 + wide_links: !!str yes vfs_object_recycle: true recycle_path: '@Recycle' @@ -440,8 +443,8 @@ samba_shares: path: /data/backup browseable: !!str yes read_only: !!str yes - writeable: !!str no - guest_ok: !!str no + writeable: !!str no + guest_ok: !!str no file_create_mask: !!str 0664 dir_create_mask: !!str 0755 vfs_object_recycle: false diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 index d5d57bb..f5f7aa1 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2 +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -269,6 +269,30 @@ # public shares, not just authenticated ones usershare allow guests = yes +# In normal operation the option wide links which allows the server to follow +# symlinks outside of a share path is automatically disabled when unix extensions +# are enabled on a Samba server. This is done for security purposes to prevent +# UNIX clients creating symlinks to areas of the server file system that the +# administrator does not wish to export. +# +# Setting allow insecure wide links to true disables the link between these two +# parameters, removing this protection and allowing a site to configure the server +# to follow symlinks (by setting wide links to "true") even when unix extensions is +# turned on. +# +# It is not recommended to enable this option unless you fully understand the +# implications of allowing the server to follow symbolic links created by UNIX clients. +# For most normal Samba configurations this would be considered a security hole and +# setting this parameter is not recommended. +# +# This option was added at the request of sites who had deliberately set Samba up +# in this way and needed to continue supporting this functionality without having to +# patch the Samba code. +# +# Default: allow insecure wide links = no +# + allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }} + #======================= Share Definitions ======================= # {{ ansible_managed }} @@ -368,6 +392,26 @@ force group = +{{ item.group_write_list }} {% endif %} +{%- if item.wide_links is defined and item.wide_links|length > 0 %} + # This parameter controls whether or not links in the UNIX file system may be + # followed by the server. Links that point to areas within the directory tree + # exported by the server are always allowed; this parameter controls access only to + # areas that are outside the directory tree being exported. + # + # Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX + # clients to create symbolic links on the share that can point to files or + # directories outside restricted path exported by the share definition. This can + # cause access to areas outside of the share. Due to this problem, this paramete + # will be automatically disabled (with a message in the log file) if the unix + # extensions option is on. + # + # See the parameter allow insecure wide links if you wish to change this coupling + # between the two parameters. + # + # Default: wide links = no + # + wide links = yes +{% endif %} {% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %} {% if item.recycle_path is defined and item.recycle_path|length > 0 %}