Using symbolic links from SMB (Win XP) clients

Discuss with the community any ideas you'd love to see in future DiskStations and DSM updates! We do our best to monitor and forward all of them, but we recommend to also use this form as our team will systematically see your suggestion:
https://www.synology.com/en-global/form ... y/feedback
Forum rules
We do our best to monitor and forward your ideas to our team, but due to the large amount, we may not see every single one and recommend to also use this form as our team will systematically see your suggestion:
https://www.synology.com/en-global/form ... y/feedback
colin_e
Rookie
Rookie
Posts: 31
Joined: Sun Dec 03, 2006 1:18 pm
Location: Nr. Reading, UK

Using symbolic links from SMB (Win XP) clients

Postby colin_e » Thu Jan 01, 2009 3:29 pm

System: Cubestation 406
Firmware: 2.0.3 - 0459
Clients: Mostly Win Xp Sp2, just adding a Vista Laptop

I have 5 user accounts for my family members mounted on my CS406. Each users My Documents is mounted as a private share on the Cubestation, plus I have shared content on /photo and /music.

I want to move everyone's My Pictures folders out of their private shares and into subdirectories of the photo share. This will allow the photostation to preview their pics, and move the bulk files into the right place.

So I tried this on the first user, copied their My Pictures to a subfolder of /photo, deleted My Pictures, then (using telnet) made a symbolic link with the name My Pictures that points at the folder under /photo.

Locally on the Cubestation this looks fine, but the client Win Xp machine just reports "permission denied" if I try to follow the My Pictures link. A few more tests seem to show that the XP clients are unable to deal with any symbolic link, even one within a single filesystem.

This is very strange. Using symlinks like this to move large folders between filesystems is common practice, and I'm sure I have done this in the past with other Samba servers, and the Windoze clients literally can't tell they are following a link. Has something been done to the Synology to disable sym links in Samba?
Regards: Colin
User avatar
Franklin
Synology Inc
Synology Inc
Posts: 6662
Joined: Sat Oct 14, 2006 11:33 pm
Location: Washington, USA

Re: Using symbolic links from SMB (Win XP) clients

Postby Franklin » Wed Jan 07, 2009 1:20 am

Greetings colin_e

Access to Symbolic Links via Samba/FTP was disabled due to security concerns.

Hope this helps, have a good day.
**Franklin is not available**
**Please do not Private Message me for support questions; leave it on the forum so all members can learn. Thanks!**
Library ~ SynologyWiki ~ Synology FAQ ~ Compatibility Lists
Forum Links ~ Forum Policy ~ 3rd-party forums ~ Help us help you ~ Posting Images
Demo Links ~ DSM GUI ~ Photo Station
Downloads ~ Firmware Downloads ~ Beta Program
Support ~ Support Form ~ Submit Kernel ~ Synology eNews
tipsen
Sharp
Sharp
Posts: 155
Joined: Wed Aug 08, 2007 1:31 pm
Location: Denmark
Contact:

Re: Using symbolic links from SMB (Win XP) clients

Postby tipsen » Wed Jan 07, 2009 1:50 pm

Franklin wrote:Access to Symbolic Links via Samba/FTP was disabled due to security concerns.

I've encountered the same problem in the past - is there any way to enable this feature again?
/Tommy
DS-212 / DSM 4.1-2636 / 2 x Seagate ST2000DL003-9VT1 2TB (Non-Raid) / Squeezebox Server 7.7.2 (Synology Package) / 2 x Squeezebox Classic + 1 x Boom
colin_e
Rookie
Rookie
Posts: 31
Joined: Sun Dec 03, 2006 1:18 pm
Location: Nr. Reading, UK

Re: Using symbolic links from SMB (Win XP) clients

Postby colin_e » Sun Jan 11, 2009 10:44 pm

I was hoping you weren't going to say that.

I understand that sym-links will allow a naive admin to accidentally include access to files they may not have intended, but to be honest if you're in there poking around with telnet and the shell then I think you should be allowed control over your own destiny

I would really like an option in the filestation to turn "follow symbolic links" back on. Especially when you have Windoze clients with their structure of "My Pictures; My Videos; My Music...." all under "My Documents it becomes a major pain to re-connect all this stuff even for my modest network of 5 PCs and 5 users (that's about 20 Windows shortcuts to re-assign by hand on every machine, after every rebuild. No fun).
Regards: Colin
benjita
I'm New!
I'm New!
Posts: 1
Joined: Sat Jan 17, 2009 8:38 am

Re: Using symbolic links from SMB (Win XP) clients

Postby benjita » Sat Jan 17, 2009 8:45 am

Please bring back symbolic links! Give us the choice to decide when (or when not to use them), please don't disable this functionality for everybody. If a person is smart enough to create a link, they are probably smart enough to learn or understand what are the security implications around them.

Thanks...
Ben
CodE-E
Trainee
Trainee
Posts: 12
Joined: Sat Jan 10, 2009 11:32 am

Re: Using symbolic links from SMB (Win XP) clients

Postby CodE-E » Sun Jan 25, 2009 11:52 am

/signed

I would also very much like to have symbolic links work with my Synology shares. I want to have one "data" share, which contains "video", "music", "photo", "web", so that I can mount that as a single drive on Windows.

As Benjita said, if one's able to use SSH and create symbolic links, one should be experienced enough to know not to give everyone access to system folders.
tipsen
Sharp
Sharp
Posts: 155
Joined: Wed Aug 08, 2007 1:31 pm
Location: Denmark
Contact:

Re: Using symbolic links from SMB (Win XP) clients

Postby tipsen » Tue Jan 27, 2009 12:32 am

Is it possible to make a feature request anywhere on Synology's website?
DS-212 / DSM 4.1-2636 / 2 x Seagate ST2000DL003-9VT1 2TB (Non-Raid) / Squeezebox Server 7.7.2 (Synology Package) / 2 x Squeezebox Classic + 1 x Boom
R-T
Trainee
Trainee
Posts: 10
Joined: Sat May 31, 2008 12:59 am

Re: Using symbolic links from SMB (Win XP) clients

Postby R-T » Sun Feb 08, 2009 2:41 am

Disclaimer: The following workaround is not approved nor endorsed by Synology. By applying these instructions, you shall do so knowing fully that if things break down (data loss, or inoperable system), no one can be held accountable but yourself. USE AT YOUR OWN RISK.


Here are the relevant changes to the samba source code (lnxsamba3020 in the source tarball) that were added by Synology [GPL]:

Code: Select all

--- synogpl-722/source/SAMBA_3_0_RELEASE/source/smbd/nttrans.c   Sun Feb 08 01:44:54 2009
+++ synogpl-722/source/lnxsamba3020/source/smbd/nttrans.c   Thu Oct 09 06:56:40 2008
@@ -663,4 +663,16 @@
    }
+
+#ifdef MY_ABC_HERE
+   // disable open symbolic link file
+   {
+      struct stat st;                  
+      lstat(fname, &st);
+      if (S_ISLNK(st.st_mode)) {               
+         END_PROFILE(SMBntcreateX);
+         return ERROR_NT(NT_STATUS_ACCESS_DENIED);
+      }
+   }
+#endif
    
    /*
     * Now contruct the smb_open_mode value from the filename,

Code: Select all

--- synogpl-722/source/SAMBA_3_0_RELEASE/source/smbd/trans2.c   Sun Feb 08 01:51:43 2009
+++ synogpl-722/source/lnxsamba3020/source/smbd/trans2.c   Thu Oct 09 06:56:40 2008
@@ -3481,6 +3481,17 @@
          return ERROR_NT(status);
       }
 
+#ifdef MY_ABC_HERE
+      //disable open symblic link dir
+      {
+         struct stat st;                  
+         lstat(fname, &st);
+         if (S_ISLNK(st.st_mode)) {               
+            return ERROR_NT(NT_STATUS_ACCESS_DENIED);
+         }         
+      }
+#endif
+
       RESOLVE_DFSPATH(fname, conn, inbuf, outbuf);
 
       unix_convert(fname,conn,0,&bad_path,&sbuf);

Code: Select all

@@ -4971,6 +4982,10 @@
 
          /* Set a symbolic link. */
          /* Don't allow this if follow links is false. */
+#ifdef MY_ABC_HERE
+         //disable create symblic link
+         return(ERROR_DOS(ERRDOS,ERRnoaccess));
+#endif
 
          if (!lp_symlinks(SNUM(conn)))
             return(ERROR_DOS(ERRDOS,ERRnoaccess));


The first two patch entries are disallowing symbolic links when following them (read); while the third one is when they are created (write). As I'm not interested in creation/deletion (those should be done in a shell prompt, imho), I've focused on reading.

As those are merely if-tests, I found it easier to patch the smbd binary, rather than rebuilding from scratch.
(Note: all steps were done on a 207+ ARM architecture FW 2.0.727, YMMV, esp. if the CPU is not the same class)

First of all, make a backup copy of (your data &) the executable :

Code: Select all

cp -p /usr/syno/sbin/smbd /usr/syno/sbin/smbd.savebefore.20090208


The first step is to locate the first patch location, which is made relatively harder by the fact code is in compiled (=machine) form.
There are probably many ways to do it, in my case I used IDA to disassemble a local copy of smbd.
When using IDA, I found 2 possibilities :
* You can use the exported name (ELF is not stripped) of the target C function "reply_ntcreate_and_X" to find the location.
* If there's no symbol, you can use one of the hardcoded strings used in this .c source file that are relatively close (e.g. "FAT") and then look for cross-refs to this string.

.text:00058760 loc_58760 ; CODE XREF: reply_ntcreate_and_X+3A4
.text:00058760 ; reply_ntcreate_and_X+424 ...
.text:00058760 MOV R0, #3
.text:00058764 ADD R1, SP, #0x924+var_424
.text:00058768 ADD R2, SP, #0x924+var_8E4
.text:0005876C BL sub_3D310
.text:00058770 LDR R3, [SP,#0x924+var_8D4] << the following instructions are the S_ISLNK test (C macro / bitmasking)
.text:00058774 AND R3, R3, #0xF000
.text:00058778 CMP R3, #0xA000
.text:0005877C BNE loc_587A8
.text:00058780 LDR R3, =0x2A2
.text:00058784 STR R3, [SP,#0x924+var_924]
.text:00058788 LDR R3, =aSmbdNttrans_c
.text:0005878C STR R3, [SP,#0x924+var_920]
.text:00058790 LDR R0, [SP,#0x924+var_8F8]
.text:00058794 MOV R1, #0
.text:00058798 MOV R2, R1
.text:0005879C MOV R3, #0xC0000022
.text:000587A0 BL error_packet
.text:000587A4 B loc_59154
.text:000587A8 ; ---------------------------------------------------------------------------
.text:000587A8
.text:000587A8 loc_587A8 ; CODE XREF: reply_ntcreate_and_X+498


See the .text:0005877C BNE loc_587A8 line ? This is a jump (Branch if Not Equal). Lines below this instruction are part of the C "then" accolade block that bail out, thus we want to avoid it.

=> Force the jump using the B (unconditional Branch).

Code: Select all

50 30 9D E5 0F 3A 03 E2  0A 0A 53 E3 09 00 00 1A
00 3A 9F E5 00 30 8D E5  D0 39 9F E5 04 30 8D E5

becomes, by changing the BNE opcode to B (xx xx xx 1A -> xx xx xx EA):

Code: Select all

50 30 9D E5 0F 3A 03 E2  0A 0A 53 E3 09 00 00 *EA*
00 3A 9F E5 00 30 8D E5  D0 39 9F E5 04 30 8D E5



Similarly, find the second location, and patch:
.text:00072594 loc_72594 ; CODE XREF: sub_720C0+4A8
.text:00072594 MOV R0, #3
.text:00072598 ADD R1, SP, #0x11A0+var_490
.text:0007259C ADD R1, R1, #0xC
.text:000725A0 ADD R2, SP, #0x11A0+var_8F0
.text:000725A4 ADD R2, R2, #0xC
.text:000725A8 BL sub_3D310 << same as above, this "branch and link" opcode is an lstat call
.text:000725AC LDR R3, [SP,#0x11A0+var_8D4]
.text:000725B0 AND R3, R3, #0xF000
.text:000725B4 CMP R3, #0xA000
.text:000725B8 BNE loc_725E4
.text:000725BC LDR R3, =0xDA2
.text:000725C0 STR R3, [SP,#0x11A0+var_11A0]
.text:000725C4 LDR R3, =aSmbdTrans2_c
.text:000725C8 STR R3, [SP,#0x11A0+var_119C]
.text:000725CC LDR R0, [SP,#0x11A0+var_1100]
.text:000725D0 MOV R1, #0
.text:000725D4 MOV R2, R1
.text:000725D8 MOV R3, #0xC0000022
.text:000725DC BL error_packet
.text:000725E0 B loc_74214
.text:000725E4 ; ---------------------------------------------------------------------------
.text:000725E4
.text:000725E4 loc_725E4 ; CODE XREF: sub_720C0+4F8


=> Again, force the B jump.

Code: Select all

0F 3A 03 E2 0A 0A 53 E3  09 00 00 1A FC 3A 9F E5
00 30 8D E5 DC 3A 9F E5  04 30 8D E5 A0 00 9D E5

Code: Select all

0F 3A 03 E2 0A 0A 53 E3  09 00 00 *EA* FC 3A 9F E5
00 30 8D E5 DC 3A 9F E5  04 30 8D E5 A0 00 9D E5


When done, save changes and transfer the executable to the NAS (whichever method), then stop the sharing processes.

Code: Select all

/usr/syno/etc/rc.d/S80samba.sh stop


Then, after making sure backup copies were done:

Code: Select all

 cp /volume1/MyShare/smbd /usr/syno/sbin/smbd


And restart sharing services:

Code: Select all

/usr/syno/etc/rc.d/S80samba.sh restart


Should work.

Take care with symlinks: you can't delete them as if they were regular files using explorer; it's the same issue as junctions in NT
see ya
R-T
User avatar
ReD-BaRoN
Beginner
Beginner
Posts: 25
Joined: Sat Jul 25, 2009 2:40 pm

Re: Using symbolic links from SMB (Win XP) clients

Postby ReD-BaRoN » Mon Aug 03, 2009 1:44 am

Is there any update on this feature, i.e. is it still disabled and not configurable? Has anyone tried the patch mentioned above?
wouter1971
I'm New!
I'm New!
Posts: 4
Joined: Wed Feb 04, 2009 9:49 am

Re: Using symbolic links from SMB (Win XP) clients

Postby wouter1971 » Wed Aug 19, 2009 10:55 am

I think there is an easier method. I just inserted into /usr/syno/etc/smb.conf in the GLOBAL section:

follow symlinks = yes
wide symlinks = yes
unix extensions = no

Then:

/usr/syno/etc/rc.d/S80samba.sh restart

Working!
Koesper
Trainee
Trainee
Posts: 17
Joined: Sun Mar 08, 2009 2:40 pm

Re: Using symbolic links from SMB (Win XP) clients

Postby Koesper » Sun Aug 23, 2009 12:40 pm

wouter1971 wrote:I think there is an easier method. I just inserted into /usr/syno/etc/smb.conf in the GLOBAL section:

follow symlinks = yes
wide symlinks = yes
unix extensions = no

Then:

/usr/syno/etc/rc.d/S80samba.sh restart


Thanks for this! works like a charm!
pepa_u
I'm New!
I'm New!
Posts: 3
Joined: Fri Sep 04, 2009 1:50 pm

Re: Using symbolic links from SMB (Win XP) clients

Postby pepa_u » Fri Sep 04, 2009 1:57 pm

I does not work on DS-101j and firmware Version: DSM 2.0-0731 :-(

I'm very disappointed because I was using for years a structure of symbolic links and now is all gone :x

Dear synology, I appreciate that you care about our security, but this is too much. My disk is running on a local network only, so the only person which could hack it is me! Please, put the symlinks back.
pepa_u
I'm New!
I'm New!
Posts: 3
Joined: Fri Sep 04, 2009 1:50 pm

Re: Using symbolic links from SMB (Win XP) clients

Postby pepa_u » Fri Sep 04, 2009 2:03 pm

wouter1971 wrote:I think there is an easier method. I just inserted into /usr/syno/etc/smb.conf in the GLOBAL section:

follow symlinks = yes
wide symlinks = yes
unix extensions = no

Then:

/usr/syno/etc/rc.d/S80samba.sh restart

Working!


It doesn't work for me on 101j :-(

Synology, please, let us use the symbolic links again. Or do you think it is more secure for me to go back to older firmware?
pepa_u
I'm New!
I'm New!
Posts: 3
Joined: Fri Sep 04, 2009 1:50 pm

Re: Using symbolic links from SMB (Win XP) clients

Postby pepa_u » Sat Sep 05, 2009 12:02 pm

Problem solved! (DS-101j)

I have tried to hack the smbd as describe before, but did not succeeded. So I tried to install another samba:

http://www.nslu2-linux.org/wiki/Optware/Samba

Follow all instructions there including installing gconv-modules as described under "Unable to connect in Samba 3.2.1-1 (9/27/08)".

I have used the smb.conf from the original samba installation, including symlink settings described in this thread.
It's necessary to add samba users+passwords (/opt/bin/smbpasswd -add user_name /opt/bin/smbpasswd -U user_name). Also it is necessary to set in smb.conf under [printer] path=/opt/var/spool/samba (which has to be created and write/read set for all users).

Then symlinks work as before! However, there was a problem with printing. After hours of trying different things I have discovered that lpr does not print files named "smbprn.*.*" The "smbprn" is the problem! File with this name is spooled, but not printed. Why? I have no idea. I solved that by creating my own printing script which renames the file and then prints it:

Created "/opt/bin/lpr_print.sh" which contains:

#!/bin/ash
spool_dir=/opt/var/spool/samba
mv $spool_dir/$2 $spool_dir/lpr_$2
echo lpr -r -P$1 $spool_dir/lpr_$2 >> /opt/var/spool/samba/print_log
lpr -r -P$1 lpr_$2

In smb.conf I changed the print command in [printers] section:

print command = /opt/bin/lpr_print.sh %p %s

Does anybody know a better solution of the printing problem?

Now everything works (as it did before update of the firmware :oops: )

For reference, the smb.conf I am using now:

[global]
socket options=TCP_NODELAY
workgroup=WORKGROUP
follow symlinks=yes
realm=*
printing=lprng
winbind enum groups=yes
passdb backend=smbpasswd
idmap gid=96000-196000
unix extensions=no
wide symlinks=yes
security=user
idmap uid=10000-110000
printcap name=/usr/syno/etc/printcap
load printers=yes
winbind enum users=yes
[music]
invalid users=nobody,nobody
valid users=nobody,guest,@users,admin,nobody
comment=""
path=/volume1/music
guest ok=yes
browseable=yes
ftp write only=no
read list=nobody,guest,nobody
write list=nobody,@users,admin,nobody
writeable=yes
[opt]
invalid users=nobody,nobody
valid users=nobody,admin,nobody
comment=""
path=/volume1/opt
guest ok=yes
browseable=no
ftp write only=no
read list=nobody,nobody
write list=nobody,admin,nobody
writeable=yes
[photo]
invalid users=nobody,nobody
valid users=nobody,guest,admin,nobody
comment=""
path=/volume1/photo
guest ok=yes
browseable=no
ftp write only=no
read list=nobody,guest,nobody
write list=nobody,admin,nobody
writeable=yes
[public]
invalid users=nobody,nobody
valid users=nobody,@users,nobody
comment="System default share"
path=/volume1/public
guest ok=yes
browseable=yes
ftp write only=no
read list=nobody,nobody
write list=nobody,@users,nobody
writeable=yes
[tmp]
invalid users=nobody,nobody
valid users=nobody,@users,admin,nobody
comment=""
path=/volume1/tmp
guest ok=yes
browseable=no
ftp write only=no
read list=nobody,nobody
write list=nobody,@users,admin,nobody
writeable=yes
[usbshare1]
invalid users=nobody,nobody
valid users=nobody,@users,nobody
comment="Sunplus Technology Co., Ltd"
path=/volumeUSB1/usbshare
guest ok=yes
browseable=yes
ftp write only=no
read list=nobody,nobody
write list=nobody,@users,nobody
writeable=yes
[usbshare2]
invalid users=nobody,nobody
valid users=nobody,@users,nobody
comment="Western Digital Technologies, Inc."
path=/volumeUSB2/usbshare
guest ok=yes
browseable=yes
ftp write only=no
read list=nobody,nobody
write list=nobody,@users,nobody
writeable=yes
[video]
invalid users=nobody,nobody
valid users=nobody,admin,nobody
comment=""
path=/volume1/video
guest ok=yes
browseable=yes
ftp write only=no
read list=nobody,nobody
write list=nobody,admin,nobody
writeable=yes
[web]
invalid users=nobody,nobody
valid users=nobody,admin,nobody
comment=""
path=/volume1/web
guest ok=yes
browseable=no
ftp write only=no
read list=nobody,nobody
write list=nobody,admin,nobody
writeable=yes
[printers]
comment = All Printers
writable = yes
# printer admin = @users
write list = @users
# path = /var/services/printer
path = /opt/var/spool/samba
guest ok = yes
browseable = no
lprm command = /usr/syno/bin/lprm -P%p %j
# print command = /usr/syno/bin/lpr -P%p %s
print command = /opt/bin/lpr_print.sh %p %s
lppause command = /usr/syno/sbin/lpc hold %p %j
lpresume command = /usr/syno/sbin/lpc release %p %j
queuepause command = /usr/syno/sbin/lpc stop %p
queueresume command = /usr/syno/sbin/lpc start %p
public = yes
printable = yes
lpq command = /usr/syno/bin/lpq -P%p
awierda
I'm New!
I'm New!
Posts: 1
Joined: Tue Jul 20, 2010 8:10 pm

Re: Using symbolic links from SMB (Win XP) clients

Postby awierda » Tue Jul 20, 2010 8:18 pm

follow symlinks = yes
wide symlinks = yes
unix extensions = no

works for me.
After restarting Samba manually I could no longer connect to the Web user interface. A restart of the Synology solved that.

I have a DS209 with DSM 2.3-1157

Andreas

Return to “Feature Requests & Product Improvement Suggestions”

Who is online

Users browsing this forum: No registered users and 8 guests