Project

General

Profile

Scénario #33401

EOLE 2.9 : Gestion "wide links = yes" à vérifier

Added by Gilles Grandgérard over 2 years ago. Updated about 2 years ago.

Status:
Terminé (Sprint)
Priority:
Normal
Assigned To:
Category:
-
Start date:
03/28/2022
Due date:
04/15/2022
% Done:

100%

Story points:
1.0
Remaining (hours):
0.00 hour
Velocity based estimate:
Release:
Release relationship:
Auto

Description

https://www.samba.org/samba/history/samba-4.13.0.html

wide links functionality
------------------------

For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.


Subtasks

Tâche #34011: Vérification du "wide links = yes" en 2.9.0FerméLaurent Gourvenec

Associated revisions

Revision 8c115706 (diff)
Added by Joël Cuissinat over 2 years ago

Revert "test_scribe.py : add "vers" option in mount commands"

This reverts commit f46d05dcb99dc1a8c3322d16fae7af8909dd2481

Ref: #33401

Revision 7e0ee625 (diff)
Added by Joël Cuissinat over 2 years ago

unit tests : add domain to mount options

Ref: #33401

Revision cb793b3b
Added by Joël Cuissinat over 2 years ago

Merge branch '2.8.0/master'

Conflicts:
tests/test_scribe.py

Ref: #33401

History

#1 Updated by Joël Cuissinat over 2 years ago

  • Status changed from Nouveau to En cours

#2 Updated by Joël Cuissinat over 2 years ago

  • Assigned To set to Joël Cuissinat

En 2.8.0, un simple montage CIFS renvoie : mount error(13): Permission denied, cf. https://dev-eole.ac-dijon.fr/jenkins/job/2.8.0/job/test-moduletests-scribe-2.8.0-amd64

En 2.7.2, le code suivant est fonctionnel :

mkdir -p /tmp/home
changepasswordeole.pl admin Eole123456
mount -t cifs //127.0.0.1/professeurs /tmp/home -o username=admin,password=Eole123456,vers=3.0,_netdev
umount /tmp/home

Mais, sur le membre, on conservé le samba de la distribution (bionic : 4.7.6) et donc la 2.7.2 n'est pas affectée par la suppression du "wide links".

#3 Updated by Joël Cuissinat over 2 years ago

On est (pour l'instant) pas impacté puisque le module est chargé automatiquement dans notre cas :

this vfs module is implicitly loaded [...] if "wide links = yes" is enabled on the share

#4 Updated by Joël Cuissinat over 2 years ago

Étrangement, le mount fonctionne si on lui déclare explicitement le nom du domaine !

root@scribe:~# mount.cifs -o username=admin,domain=domscribe.ac-test.fr,vers=3.0,_netdev //scribe/commun /tmp/classe
Password for admin@//scribe/commun: **********
root@scribe:~# ls /tmp/classe/
logiciels travail

Avec cette correction, les tests unitaires Scribe 2.8 devraient être de nouveau passants :

#5 Updated by Joël Cuissinat over 2 years ago

  • Status changed from En cours to Nouveau
  • Parent task deleted (#33397)

#6 Updated by Joël Cuissinat over 2 years ago

  • Tracker changed from Tâche to Scénario
  • Target version deleted (sprint 2021 46-49 Equipe MENSR)
  • Start date deleted (11/15/2021)
  • Release set to EOLE 2.9.0

#7 Updated by Joël Cuissinat over 2 years ago

  • Subject changed from Gestion "wide links = yes" à voir sur EOLE 2.7.2&+ to Gestion "wide links = yes" à voir sur EOLE 2.9

#8 Updated by Joël Cuissinat over 2 years ago

  • Subject changed from Gestion "wide links = yes" à voir sur EOLE 2.9 to EOLE 2.9 : Gestion "wide links = yes" à vérifier

#9 Updated by Joël Cuissinat over 2 years ago

  • Assigned To deleted (Joël Cuissinat)

#10 Updated by Gilles Grandgérard over 2 years ago

  • Release changed from EOLE 2.9.0 to Carnet de produit (Cadoles)

#11 Updated by Joël Cuissinat over 2 years ago

  • Story points set to 1.0

#12 Updated by Gilles Grandgérard about 2 years ago

Samba est en 4.15

#13 Updated by Emmanuel GARETTE about 2 years ago

  • Due date set to 04/15/2022
  • Assigned To set to Laurent Gourvenec
  • Target version set to Prestation Cadoles MEN 2022 13-15
  • Start date set to 03/28/2022

#14 Updated by Laurent Gourvenec about 2 years ago

  • Status changed from Nouveau to En cours
  • % Done changed from 0 to 100

#15 Updated by Emmanuel GARETTE about 2 years ago

  • Status changed from En cours to Résolu

#16 Updated by Gilles Grandgérard about 2 years ago

  • Status changed from Résolu to Terminé (Sprint)

#17 Updated by Joël Cuissinat about 2 years ago

  • Release changed from Carnet de produit (Cadoles) to EOLE 2.9.0

Also available in: Atom PDF