Comment 1 for bug 1702529

Dave Kettmann (dkettman) wrote :

From Samba bug:

I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.

For the test I used 4.6.5 with the patch for bug #12860.

This is the smb.conf:
[global]
    server string = %h server (Samba, Ubuntu)
    netbios name = xenial
    server role = standalone server
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb

[rootfs]
    path = /
    follow symlinks = yes
    wide links = no
    read only = no
    guest ok = no
    browseable = yes

/opt has this:
root@xenial-samba-rootfs:~# ls -lah /opt
total 5.0K
drwxr-xr-x 3 root root 6 Jul 3 20:01 .
drwxr-xr-x 22 root root 22 Jun 19 23:52 ..
-rw-r--r-- 1 root root 6 Jul 3 20:01 file.txt
lrwxrwxrwx 1 root root 16 Jul 3 20:01 symlink-to-directory -> target-directory
lrwxrwxrwx 1 root root 8 Jul 3 20:01 symlink-to-file -> file.txt
drwxr-xr-x 2 root root 2 Jul 3 20:01 target-directory

This worked with 4.3.8 without the CVE-2017-2619 patch:
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
  . D 0 Mon Jul 3 20:01:36 2017
  .. D 0 Mon Jul 3 20:01:49 2017

        244825344 blocks of size 1024. 244392448 blocks available

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-to-file of size 6 as \opt\symlink-to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)

But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED listing \opt\symlink-to-directory\*

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED opening remote file \opt\symlink-to-file