Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does KSMBD supports Symbolic Links(symlinks) ? #483

Open
m-sataraddi opened this issue Apr 18, 2024 · 11 comments
Open

Does KSMBD supports Symbolic Links(symlinks) ? #483

m-sataraddi opened this issue Apr 18, 2024 · 11 comments

Comments

@m-sataraddi
Copy link

Dear Mr. Namjae Jeon,

Context: We are enabling KSMBD server on Android platform and trying to support few use cases. This require Symbolic Links(symlinks) support.

=============================================
1). By default, it looks like Symbolic links are NOT supported in KSMBD now. We tested following and Accessing Symbolic link files from Client is NOT working:

a). [KSMBD Server on Linux]:

In /etc/samba/smb.conf, following share is defined.

[ManjuShare]
comment = Samba with KSMBD Kernel Server on Ubuntu
path = /home/test/manjunath
read only = No


KSMBD Server is running:

sudo service ksmbd status
ksmbd.service - ksmbd userspace daemon
Loaded: loaded (/lib/systemd/system/ksmbd.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2024-04-17 17:44:28 IST; 28s ago
Process: 30769 ExecStartPre=/sbin/modprobe ksmbd (code=exited, status=0/SUCCESS)
Process: 30770 ExecStart=/usr/sbin/ksmbd.mountd -s (code=exited, status=0/SUCCESS)
Main PID: 30770 (code=exited, status=0/SUCCESS)
Tasks: 2 (limit: 9340)
Memory: 576.0K
CPU: 11ms
CGroup: /system.slice/ksmbd.service
├─30772 /usr/sbin/ksmbd.mountd -s
└─30773 /usr/sbin/ksmbd.mountd -s
Apr 17 17:44:28 lin2030066179 systemd[1]: Starting ksmbd userspace daemon...
Apr 17 17:44:28 lin2030066179 systemd[1]: Finished ksmbd userspace daemon.


KSMBD Server is listening on port 445:

netstat -pulnt | grep -i 445
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::445 ::: LISTEN -
tcp6 0 0 :::445 ::: LISTEN -
tcp6 0 0 :::445 ::: LISTEN -
tcp6 0 0 :::445 ::: LISTEN -
tcp6 0 0 :::445 ::: LISTEN -


myfile-sym.txt is symlink of /test/myfile.txt

ls -las
total 12
4 drwxrwxrwx 3 test test 4096 Apr 17 15:37 .
4 drwxr-x--- 44 test test 4096 Apr 17 15:52 ..
0 lrwxrwxrwx 1 test test 41 Apr 17 15:37 myfile-sym.txt -> /home/test/manjunath/test/myfile.txt
4 drwxrwxr-x 2 test test 4096 Apr 17 15:36 test

[Mount with CIFS option on other Linux Machine]:

sudo mount -t cifs //107.99.235.8/ManjuShare -o username=test,password=srib@123 /mnt/ManjuShare/

cd /mnt/ManjuShare/
ls -las
ls: cannot read symbolic link 'myfile-sym.txt': Operation not supported
total 4
0 drwxr-xr-x 2 root root 0 Apr 17 15:37 .
4 drwxr-xr-x 8 root root 4096 Apr 17 15:58 ..
0 lrwxr-xr-x 1 root root 41 Apr 17 15:37 myfile.txt
0 drwxr-xr-x 2 root root 0 Apr 17 15:36 test


Accessing myfile-sym.txt(symlink file) fails:

cat myfile-sym.txt
cat: myfile-sym.txt: Permission denied

Accessing Orginial file works:

cat test/myfile.txt
myfile

2). Upon further checking, in this below link, its mentioned that: This patch remove symlink support that can be vulnerable and access out of share, and we re-implement it as reparse point later.

https://lore.kernel.org/all/CAH2r5muaUWci4rfOqYhv+p8NO7rKLSg5Y3WgoJnBa9fL8YD0GQ@mail.gmail.com/T/

2a). We would like to know whether Symlinks are supported in latest KSMBD releases.

2b). If symlinks are supported or re-implemented as 'reparse point' then let us know whether this feature is present in latest release.
If yes then please share some details about how to use this.

2c). If symlinks are NOT supported till now then let us know if there is a plan to support and by when.

=============================================

Note: We observed that Linux Samba Server supports symlinks as regular file.
Clients can access those symlink files as regular files at their side.

Thank you.

@namjaejeon
Copy link
Owner

@m-sataraddi Thanks for your check:) Yes, as you said, symlink support has been removed from the upstream process due to possible security issues. But we can start working to support it again. There are other important works to me, but if symlink support is a higher priority, it may depend on what product you use the ksmbd server for and how important it is.
Are you planning to use ksmbd as a POC or are you planning to install it into your android product? If it is an Android platform, is this feature included in Google's public source?

@m-sataraddi
Copy link
Author

Our plan is to install KSMBD into android product (not just for POC).
It would be helpful if symlink can be supported in KSMBD.

@namjaejeon
Copy link
Owner

@m-sataraddi Okay, Let me check it. Can you send me more information for your product ? (linkinjeon@kernel.org)
I would like to know app scenario and what product is and project schedule, etc..

@sangsoolee
Copy link

Hi @namjaejeon
I will send email soon.

@rickysarraf
Copy link

Having symlink support for SMB Shares would be a nice feature, for your average Linux end-user as well. I use it heavily, daily.

Use case:

I can have 10 different smb shares organized with different content. Of the content populated across all the shares, there's one identifier; like say SSN. So, to check for all data belonging to SSN, I can have a PRIMARY share, and underneath it I can have all other file systems symlinked to it. Then, in Dolphin File Browser, I just have to hit search for the SSN.

[PRIMARY]
path = /var/tmp/share
comment = Primary share, with symlink mappings

And all symlinks put under /var/tmp/share/

@romanrm
Copy link

romanrm commented Sep 8, 2024

Samba server supports the "allow insecure wide links" setting, which specifically allows all symlinks even to point outside of the share tree. As such there are scenarios where that is not a problem, or in fact desirable, and the user should be given an option to enable that.

It is not a good choice to remove the feature entirely just because it can implement one of Samba's included features, even if one disabled by default. Just include that too, and disable by default, why cut useful functions out entirely.

Side note: another attempt to deploy ksmbd instead of Samba, another failure and postponement, now because of this.

@namjaejeon
Copy link
Owner

namjaejeon commented Sep 8, 2024

The Samba team strongly wanted to remove this feature for security issues. can you tell me what client do you use for symlink ? cifs.ko ?

Side note: another attempt to deploy ksmbd instead of Samba, another failure and postponement, now because of this.

interesting, can you elaborate more ? deploy ?

@romanrm
Copy link

romanrm commented Sep 9, 2024

wanted to remove this feature for security issues

I am root on both the client and the server, and there are no other clients. It is not always that "security" is even required, there are cases when it is not a consideration, and it should not be the cause of entirely sacrificing functionality or convenience. As in this case: function was removed, not disabled. At least it is good to have a way to explicitly enable such features.

can you elaborate more ? deploy ?

Nothing big, just meant would be nice to drop-in replace Samba for KSMBD on all my machines and gain the improved efficiency and performance, but each time something prevents that in one way or another.

@namjaejeon
Copy link
Owner

I am root on both the client and the server, and there are no other clients.

I am asking which smb client do you use to access symlinks? cifs.ko in the Linux kernel or samba's smbclient.

@romanrm
Copy link

romanrm commented Sep 9, 2024

cifs.ko in the Linux kernel

Yes, just mounting with the kernel.

@namjaejeon
Copy link
Owner

Okay, I will check symlink support in ksmbd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants