Scénario #33401: EOLE 2.9 : Gestion "wide links = yes" à vérifier - Distribution EOLE - Ensemble Ouvert Libre Évolutif

Scénario #33401

EOLE 2.9 : Gestion "wide links = yes" à vérifier

Added by Gilles Grandgérard almost 2 years ago. Updated over 1 year ago.

Status:

Terminé (Sprint)

Priority:

Normal

Assigned To:

Laurent Gourvenec

Category:

Target version:

Prestation Cadoles MEN 2022 13-15

Start date:

03/28/2022

Due date:

04/15/2022

% Done:

100%

Story points:

1.0

Remaining (hours):

0.00 hour

Velocity based estimate:

Release:

EOLE 2.9.0

Release relationship:

Auto

Description

https://www.samba.org/samba/history/samba-4.13.0.html

wide links functionality
------------------------

For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.

Subtasks

Associated revisions

Revision 8c115706 (diff)
Added by Joël Cuissinat almost 2 years ago

Revert "test_scribe.py : add "vers" option in mount commands"

This reverts commit f46d05dcb99dc1a8c3322d16fae7af8909dd2481

Ref: #33401

Revision 7e0ee625 (diff)
Added by Joël Cuissinat almost 2 years ago

unit tests : add domain to mount options

Ref: #33401

Revision cb793b3b
Added by Joël Cuissinat almost 2 years ago

Merge branch '2.8.0/master'

Conflicts:
tests/test_scribe.py

Ref: #33401

History

#1 Updated by Joël Cuissinat almost 2 years ago

Status changed from Nouveau to En cours

#2 Updated by Joël Cuissinat almost 2 years ago

Assigned To set to Joël Cuissinat

En 2.8.0, un simple montage CIFS renvoie : mount error(13): Permission denied, cf. https://dev-eole.ac-dijon.fr/jenkins/job/2.8.0/job/test-moduletests-scribe-2.8.0-amd64

En 2.7.2, le code suivant est fonctionnel :

mkdir -p /tmp/home
changepasswordeole.pl admin Eole123456
mount -t cifs //127.0.0.1/professeurs /tmp/home -o username=admin,password=Eole123456,vers=3.0,_netdev
umount /tmp/home

Mais, sur le membre, on conservé le samba de la distribution (bionic : 4.7.6) et donc la 2.7.2 n'est pas affectée par la suppression du "wide links".

#3 Updated by Joël Cuissinat almost 2 years ago

On est (pour l'instant) pas impacté puisque le module est chargé automatiquement dans notre cas :

this vfs module is implicitly loaded [...] if "wide links = yes" is enabled on the share

#4 Updated by Joël Cuissinat almost 2 years ago

Étrangement, le mount fonctionne si on lui déclare explicitement le nom du domaine !

root@scribe:~# mount.cifs -o username=admin,domain=domscribe.ac-test.fr,vers=3.0,_netdev //scribe/commun /tmp/classe
Password for admin@//scribe/commun: **********
root@scribe:~# ls /tmp/classe/
logiciels travail

Avec cette correction, les tests unitaires Scribe 2.8 devraient être de nouveau passants :