Add support of insecure wide links

group_vars/all/main.yml

@@ -2941,6 +2941,10 @@ samba_netbios_name:
 #
 samba_server_min_protocol: []
 
+# samba_allow_insecure_wide_links
+#
+samba_allow_insecure_wide_links: !!str no
+
 samba_groups: []
 
 # samba_user:

host_vars/file-fm.fm.netz.yml

@@ -189,6 +189,20 @@ default_user:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
 
+
+  - name: borg
+    user_id: 1065
+    group_id: 1065
+    group: borg
+    home: /home/borg
+    password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUvk8+UduCcBbQO1YxXSU8SaGIl8x+TBmIFmPb9JQu8 root@gw-fm'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0ibOee8TvYlrEzKno5J6h3ZQs79i0wPElqYvQxAymK root@file-fm'
+
 #extra_user:
 #
 #  - name: borg
@@ -217,10 +231,25 @@ cron_user_entries:
     job: /root/crontab/backup-rborg2/rborg2.sh
 
   - name: "Check if postfix mailservice is running. Restart service if needed."
-    minute: "*/5"
+    minute: "*/11"
     hour: "*"
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if ntpsec is running. Restart service if needed."
+    minute: "*/7"
+    hour: "*"
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: "*/13"
+    hour: "*"
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if systemd-resolved service is running. Restart service if needed."
+    minute: "*/17"
+    hour: "*"
+    job: /root/bin/monitoring/check_systemd_service.sh systemd-resolved
+
   - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
     minute: "*/30"
     hour: "*"
@@ -236,11 +265,6 @@ cron_user_entries:
     hour: "23"
     job: /root/bin/samba/set_permissions_samba_shares.sh
 
-  - name: "Check if ntpsec is running. Restart service if needed."
-    minute: "*/6"
-    hour: "*"
-    job: /root/bin/monitoring/check_ntpsec_service.sh
-
 
 cron_user_special_time_entries:
 
@@ -385,6 +409,11 @@ samba_user:
           6631333038306462610a356535633265633563633962333137326533633834636331343562633765
           3631
 
+  - name: agnieszka
+    groups:
+      - buero
+    password: '20%4gni_eszk4-25-'
+
   - name: anja
     groups:
       - buero
@@ -392,11 +421,6 @@ samba_user:
       - verwaltung
     password: '20-4nj4.m4y3r_25?'
 
-  - name: agnieszka
-    groups:
-      - buero
-    password: '20%4gni_eszk4-25-'
-
   - name: anna
     groups:
       - buero
@@ -433,7 +457,7 @@ samba_user:
     groups:
       - buero
       - projekte
-    password: '20-l1nda_hu3p3r.25%'
+    password: '20-l1n-d4.25%'
 
   - name: michael
     groups:

host_vars/zapata.opp.netz.yml

@@ -203,6 +203,8 @@ samba_netbios_name: ZAPATA
 
 samba_server_min_protocol: !!str NT1
 
+samba_allow_insecure_wide_links: !!str yes
+
 samba_groups:
   - name: buero
     group_id: 1100
@@ -412,6 +414,7 @@ samba_shares:
     group_write_list: buero
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    wide_links: !!str yes
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -440,8 +443,8 @@ samba_shares:
     path: /data/backup
     browseable: !!str yes
     read_only: !!str yes
-    writeable: !!str  no
+    writeable: !!str no
-    guest_ok: !!str  no
+    guest_ok: !!str no
     file_create_mask: !!str 0664
     dir_create_mask: !!str 0755
     vfs_object_recycle: false

hosts

@@ -180,7 +180,6 @@ o24.oopen.de
 cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
-mm-irights-migration.oopen.de
 
 # IL - PAD
 o25.oopen.de
@@ -210,9 +209,6 @@ o31.oopen.de
 mail.cadus.org
 web.cadus.org
 
-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
@@ -259,9 +255,6 @@ cp-flr.oopen.de
 # Kotti-Coop e.V.
 o41.oopen.de
 
-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # RAV
 o42.oopen.de
 mm-rav.oopen.de
@@ -390,7 +383,6 @@ o24.oopen.de
 cl-irights.oopen.de
 cl-irights-neu.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de
 
 # IL - PAD
 o25.oopen.de
@@ -420,9 +412,6 @@ o31.oopen.de
 mail.cadus.org
 web.cadus.org
 
-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
@@ -470,9 +459,6 @@ cp-flr.oopen.de
 o41.oopen.de
 g.mx.oopen.de
 
-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # RAV
 o42.oopen.de
 mm-rav.oopen.de
@@ -866,16 +852,12 @@ mm-migration.oopen.de
 # o24.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de
 
 # Hetzner Cloud CX31 - AK
 
 # o29.oopen.de . Dissens
 cl-dissens.oopen.de
 
-# etventure
-o32.oopen.de
-
 # Nextcloud / DokuWiki VBER
 o34.oopen.de
 
@@ -1004,7 +986,6 @@ mm-migration.oopen.de
 # o24.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de
 
 # o27.oopen.de
 mail.faire-mobilitaet.de
@@ -1101,7 +1082,6 @@ cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de
 
 # Hetzner Cloud CX31 - AK
 
@@ -1122,9 +1102,6 @@ cloud.akweb.de
 web.cadus.org
 mail.cadus.org
 
-# etventure
-o32.oopen.de
-
 # Nextcloud / DokuWiki VBER
 o34.oopen.de
 
@@ -1442,9 +1419,6 @@ ga-al-kvm3.ga.netz
 # Kotti-Coop e.V.
 o41.oopen.de
 
-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # o43 - ND App
 formbricks-nd.oopen.de
 test-nd.oopen.de
@@ -1474,7 +1448,6 @@ o27.oopen.de
 o29.oopen.de
 o30.oopen.de
 o31.oopen.de
-o32.oopen.de
 o34.oopen.de
 o35.oopen.de
 o36.oopen.de
@@ -1583,7 +1556,6 @@ cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de
 
 # - o27.oopen.de
 cl-fm.oopen.de
@@ -1598,9 +1570,6 @@ cl-dissens.oopen.de
 meet.akweb.de
 cloud.akweb.de
 
-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
@@ -1789,7 +1758,6 @@ o24.oopen.de
 cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
-mm-irights-migration.oopen.de
 
 # IL - PAD
 o25.oopen.de
@@ -1819,9 +1787,6 @@ o31.oopen.de
 mail.cadus.org
 web.cadus.org
 
-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
@@ -1869,9 +1834,6 @@ cp-flr.oopen.de
 # Kotti-Coop e.V.
 o41.oopen.de
 
-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # RAV
 o42.oopen.de
 mm-rav.oopen.de

roles/common/templates/etc/samba/smb.conf.j2

@@ -269,6 +269,30 @@
 # public shares, not just authenticated ones
    usershare allow guests = yes
 
+# In normal operation the option wide links which allows the server to follow
+# symlinks outside of a share path is automatically disabled when unix extensions
+# are enabled on a Samba server. This is done for security purposes to prevent
+# UNIX clients creating symlinks to areas of the server file system that the
+# administrator does not wish to export.
+#
+# Setting allow insecure wide links to true disables the link between these two
+# parameters, removing this protection and allowing a site to configure the server
+# to follow symlinks (by setting wide links to "true") even when unix extensions is
+# turned on.
+#
+# It is not recommended to enable this option unless you fully understand the
+# implications of allowing the server to follow symbolic links created by UNIX clients.
+# For most normal Samba configurations this would be considered a security hole and
+# setting this parameter is not recommended.
+#
+# This option was added at the request of sites who had deliberately set Samba up
+# in this way and needed to continue supporting this functionality without having to
+# patch the Samba code.
+#
+#    Default: allow insecure wide links = no
+#
+    allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }}
+
 #======================= Share Definitions =======================
 
 # {{ ansible_managed }}
@@ -368,6 +392,26 @@
 
    force group = +{{ item.group_write_list }}
 {%    endif %}
+{%-  if item.wide_links is defined and item.wide_links|length > 0 %}
+   # This parameter controls whether or not links in the UNIX file system may be
+   # followed by the server. Links that point to areas within the directory tree
+   # exported by the server are always allowed; this parameter controls access only to
+   # areas that are outside the directory tree being exported.
+   #
+   # Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
+   # clients to create symbolic links on the share that can point to files or
+   # directories outside restricted path exported by the share definition. This can
+   # cause access to areas outside of the share. Due to this problem, this paramete
+   # will be automatically disabled (with a message in the log file) if the unix
+   # extensions option is on.
+   #
+   # See the parameter allow insecure wide links if you wish to change this coupling
+   # between the two parameters.
+   #
+   # Default: wide links = no
+   #
+   wide links = yes
+{%    endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}