Bug 1925192 - Write a RN about the changed "wide links" feature in Samba 4.13.0
Summary: Write a RN about the changed "wide links" feature in Samba 4.13.0
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: doc-Release_Notes-8-en-US
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 8.4
Assignee: Lucie Maňásková
QA Contact: RHEL DPM
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-04 15:01 UTC by Marc Muehlfeld
Modified: 2021-06-11 06:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
.The Samba `wide links` feature has been converted to a VFS module Previously, the `wide links` parameter was part of the `smbd` service's core functionality. Enabling this feature is insecure and, therefore, has been moved into a separate virtual file system (VFS) module named `widelinks`. For backward compatibility, Samba in RHEL 8.4 automatically loads this module for shares that have `wide links = yes` set in their configuration. Important: Red Hat recommends not to use the insecure `wide links` feature. Instead, use a `bind mount` to mount a part of the file hierarchy to a directory that you shared in Samba. For details about configuring a bind mount, see the `Bind mount operation` section in the `mount(8)` man page. To switch from a configuration that uses `wide links` to `bind mount`: . For every symbolic link that links outside of a share, replace the link with a `bind mount`. For details, see the `Bind mount operation` section in the `mount(8)` man page. . Remove all `wide links = yes` entries from the `/etc/samba/smb.conf` file. . Reload Samba: + ---- # smbcontrol all reload-config ----
Clone Of:
Environment:
Last Closed: 2021-06-11 06:46:13 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Marc Muehlfeld 2021-02-04 15:01:12 UTC
Samba 4.13.0 changes how to use the "wide links" parameter:

https://www.samba.org/samba/history/samba-4.13.0.html

wide links functionality

For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.

A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.



Since this is too much information to mention in the aggregated RN about Samba in RHEL 8.4, we need a separate one.

Comment 10 CongLi 2021-05-26 06:12:09 UTC
Hi,

Since the issue described in this bug should be resolved (VERIFIED), could you please close this bug with resolution 'CURRENTRELEASE' if this bug got fixed ?

If the fix for this is not released yet, check if this will ever get fixed. In case of a negative answer then please change it as WONTFIX.

If there's anything else to be done on this BZ, if it's still active, not released yet and we actually intend to release it, then please ignore my message.

Please note: for those bugs which are not included in errata, please add 'TestOnly' keyword, and those bugs with 'TestOnly' keyword will be closed automatically after GA.
TestOnly: Use this when there is no code delivery involved, or for use when code is already upstream and will be incorporated automatically to the next release for testing purposes only.

Thank you.


Note You need to log in before you can comment on or make changes to this bug.