Add support of insecure wide links

update..
2025-08-20 10:24:35 +02:00 · 2025-08-10 10:19:51 +02:00
5 changed files with 89 additions and 52 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -2941,6 +2941,10 @@ samba_netbios_name:
 #
 samba_server_min_protocol: []

+# samba_allow_insecure_wide_links
+#
+samba_allow_insecure_wide_links: !!str no
+
 samba_groups: []

 # samba_user:
--- a/host_vars/file-fm.fm.netz.yml
+++ b/host_vars/file-fm.fm.netz.yml
@ -189,6 +189,20 @@ default_user:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'

+
+  - name: borg
+    user_id: 1065
+    group_id: 1065
+    group: borg
+    home: /home/borg
+    password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUvk8+UduCcBbQO1YxXSU8SaGIl8x+TBmIFmPb9JQu8 root@gw-fm'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0ibOee8TvYlrEzKno5J6h3ZQs79i0wPElqYvQxAymK root@file-fm'
+
 #extra_user:
 #
 #  - name: borg
@ -217,10 +231,25 @@ cron_user_entries:
    job: /root/crontab/backup-rborg2/rborg2.sh

  - name: "Check if postfix mailservice is running. Restart service if needed."
-    minute: "*/5"
+    minute: "*/11"
    hour: "*"
    job: /root/bin/monitoring/check_postfix.sh

+  - name: "Check if ntpsec is running. Restart service if needed."
+    minute: "*/7"
+    hour: "*"
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: "*/13"
+    hour: "*"
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if systemd-resolved service is running. Restart service if needed."
+    minute: "*/17"
+    hour: "*"
+    job: /root/bin/monitoring/check_systemd_service.sh systemd-resolved
+
  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
    minute: "*/30"
    hour: "*"
@ -236,11 +265,6 @@ cron_user_entries:
    hour: "23"
    job: /root/bin/samba/set_permissions_samba_shares.sh

-  - name: "Check if ntpsec is running. Restart service if needed."
-    minute: "*/6"
-    hour: "*"
-    job: /root/bin/monitoring/check_ntpsec_service.sh
-

 cron_user_special_time_entries:

@ -385,6 +409,11 @@ samba_user:
          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
          3631

+  - name: agnieszka
+    groups:
+      - buero
+    password: '20%4gni_eszk4-25-'
+
  - name: anja
    groups:
      - buero
@ -392,11 +421,6 @@ samba_user:
      - verwaltung
    password: '20-4nj4.m4y3r_25?'

-  - name: agnieszka
-    groups:
-      - buero
-    password: '20%4gni_eszk4-25-'
-
  - name: anna
    groups:
      - buero
@ -433,7 +457,7 @@ samba_user:
    groups:
      - buero
      - projekte
-    password: '20-l1nda_hu3p3r.25%'
+    password: '20-l1n-d4.25%'

  - name: michael
    groups:
--- a/host_vars/zapata.opp.netz.yml
+++ b/host_vars/zapata.opp.netz.yml
@ -203,6 +203,8 @@ samba_netbios_name: ZAPATA

 samba_server_min_protocol: !!str NT1

+samba_allow_insecure_wide_links: !!str yes
+
 samba_groups:
  - name: buero
    group_id: 1100
@ -412,6 +414,7 @@ samba_shares:
    group_write_list: buero
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    wide_links: !!str yes
    vfs_object_recycle: true
    recycle_path: '@Recycle'

--- a/38
+++ b/38
@ -180,7 +180,6 @@ o24.oopen.de
 cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
-mm-irights-migration.oopen.de

 # IL - PAD
 o25.oopen.de
@ -210,9 +209,6 @@ o31.oopen.de
 mail.cadus.org
 web.cadus.org

-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de

@ -259,9 +255,6 @@ cp-flr.oopen.de
 # Kotti-Coop e.V.
 o41.oopen.de

-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # RAV
 o42.oopen.de
 mm-rav.oopen.de
@ -390,7 +383,6 @@ o24.oopen.de
 cl-irights.oopen.de
 cl-irights-neu.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de

 # IL - PAD
 o25.oopen.de
@ -420,9 +412,6 @@ o31.oopen.de
 mail.cadus.org
 web.cadus.org

-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de

@ -470,9 +459,6 @@ cp-flr.oopen.de
 o41.oopen.de
 g.mx.oopen.de

-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # RAV
 o42.oopen.de
 mm-rav.oopen.de
@ -866,16 +852,12 @@ mm-migration.oopen.de
 # o24.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de

 # Hetzner Cloud CX31 - AK

 # o29.oopen.de . Dissens
 cl-dissens.oopen.de

-# etventure
-o32.oopen.de
-
 # Nextcloud / DokuWiki VBER
 o34.oopen.de

@ -1004,7 +986,6 @@ mm-migration.oopen.de
 # o24.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de

 # o27.oopen.de
 mail.faire-mobilitaet.de
@ -1101,7 +1082,6 @@ cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de

 # Hetzner Cloud CX31 - AK

@ -1122,9 +1102,6 @@ cloud.akweb.de
 web.cadus.org
 mail.cadus.org

-# etventure
-o32.oopen.de
-
 # Nextcloud / DokuWiki VBER
 o34.oopen.de

@ -1442,9 +1419,6 @@ ga-al-kvm3.ga.netz
 # Kotti-Coop e.V.
 o41.oopen.de

-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # o43 - ND App
 formbricks-nd.oopen.de
 test-nd.oopen.de
@ -1474,7 +1448,6 @@ o27.oopen.de
 o29.oopen.de
 o30.oopen.de
 o31.oopen.de
-o32.oopen.de
 o34.oopen.de
 o35.oopen.de
 o36.oopen.de
@ -1583,7 +1556,6 @@ cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
 ga-st-mm.ga.netz
-mm-irights-migration.oopen.de

 # - o27.oopen.de
 cl-fm.oopen.de
@ -1598,9 +1570,6 @@ cl-dissens.oopen.de
 meet.akweb.de
 cloud.akweb.de

-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de

@ -1789,7 +1758,6 @@ o24.oopen.de
 cl-irights.oopen.de
 cl-irights-neu.oopen.de
 mm-irights.oopen.de
-mm-irights-migration.oopen.de

 # IL - PAD
 o25.oopen.de
@ -1819,9 +1787,6 @@ o31.oopen.de
 mail.cadus.org
 web.cadus.org

-# etventure
-o32.oopen.de
-
 # BigBlueButton - O.OPEN
 o33.oopen.de

@ -1869,9 +1834,6 @@ cp-flr.oopen.de
 # Kotti-Coop e.V.
 o41.oopen.de

-# AgR - Shop
-shop-dev.aufstehen-gegen-rassismus.de
-
 # RAV
 o42.oopen.de
 mm-rav.oopen.de
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@ -269,6 +269,30 @@
 # public shares, not just authenticated ones
   usershare allow guests = yes

+# In normal operation the option wide links which allows the server to follow
+# symlinks outside of a share path is automatically disabled when unix extensions
+# are enabled on a Samba server. This is done for security purposes to prevent
+# UNIX clients creating symlinks to areas of the server file system that the
+# administrator does not wish to export.
+#
+# Setting allow insecure wide links to true disables the link between these two
+# parameters, removing this protection and allowing a site to configure the server
+# to follow symlinks (by setting wide links to "true") even when unix extensions is
+# turned on.
+#
+# It is not recommended to enable this option unless you fully understand the
+# implications of allowing the server to follow symbolic links created by UNIX clients.
+# For most normal Samba configurations this would be considered a security hole and
+# setting this parameter is not recommended.
+#
+# This option was added at the request of sites who had deliberately set Samba up
+# in this way and needed to continue supporting this functionality without having to
+# patch the Samba code.
+#
+#    Default: allow insecure wide links = no
+#
+    allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }}
+
 #======================= Share Definitions =======================

 # {{ ansible_managed }}
@ -368,6 +392,26 @@

   force group = +{{ item.group_write_list }}
 {%    endif %}
+{%-  if item.wide_links is defined and item.wide_links|length > 0 %}
+   # This parameter controls whether or not links in the UNIX file system may be
+   # followed by the server. Links that point to areas within the directory tree
+   # exported by the server are always allowed; this parameter controls access only to
+   # areas that are outside the directory tree being exported.
+   #
+   # Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
+   # clients to create symbolic links on the share that can point to files or
+   # directories outside restricted path exported by the share definition. This can
+   # cause access to areas outside of the share. Due to this problem, this paramete
+   # will be automatically disabled (with a message in the log file) if the unix
+   # extensions option is on.
+   #
+   # See the parameter allow insecure wide links if you wish to change this coupling
+   # between the two parameters.
+   #
+   # Default: wide links = no
+   #
+   wide links = yes
+{%    endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}
Author	SHA1	Message	Date
Christoph	d7cab54470	Add support of insecure wide links	2025-08-20 10:24:35 +02:00
Christoph	b64076ed5d	update..	2025-08-10 10:19:51 +02:00