JBY Technologies

Symbolic And Wide Links in Samba

A symbolic link in Unix and Linux performs a similar function to a shortcut in Windows... it provides a path to a file. In response to a potential exploit in Samba Client, the Samba project changed the default handling of links within shared folders a couple of years ago. Newer versions of Samba are configured by default not to follow symbolic links that point outside of the shared folder. If you upgrade from an older version of Samba to a newer one, you might need to make the following changes in smb.conf if users are unable to follow symbolic links pointing outside the share...

  follow symlinks = yes
  wide links = yes

By default, Samba turns off Unix Extensions when you set wide links to yes. If you need Unix Extensions and wide links both set to yes, Samba offers this option:

  allow insecure wide links = yes

wide links and follow symlinks are share specific parameters. unix extensions and allow insecure wide links are global parameters.

From the Samba documentation:

allow insecure wide links (G)

In normal operation the option wide links which allows the server to follow symlinks outside of a share path is automatically disabled when unix extensions are enabled on a Samba server. This is done for security purposes to prevent UNIX clients creating symlinks to areas of the server file system that the administrator does not wish to export.

Setting allow insecure wide links to true disables the link between these two parameters, removing this protection and allowing a site to configure the server to follow symlinks (by setting wide links to "true") even when unix extensions is turned on.

If is not recommended to enable this option unless you fully understand the implications of allowing the server to follow symbolic links created by UNIX clients. For most normal Samba configurations this would be considered a security hole and setting this parameter is not recommended.

This option was added at the request of sites who had deliberately set Samba up in this way and needed to continue supporting this functionality with allow insecure wide links without having to patch the Samba code.

Default: allow insecure wide links = no

unix extensions (G)

This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

Note if this parameter is turned on, the wide links parameter will automatically be disabled.

See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.

Default: unix extensions = yes

Bookmark and Share

Legal Notices