Topic: Symbolic Link Access

[newburns]

Good Day to everyone
SME 8b7
Here is my scenario:
I wanted a separate music file that could be accessed by both users and Subsonic. I created a ibay named "globally" and a group named "allinclude"
Everyone by default will be a part of this group
I created symlinks in /var/subsonic/music to a directory I created /rosemedia/audio
Subsonic reads all music just fine from there
I then created that same symlink in /home/e-smith/files/ibays/globally/files/Music
But no one has access to the file Music. Other files located in "globally" ibay is completely accessible by everyone, but not the symlink "Music".
I do not know what log files to look into to report findings. I checked messages, smbd.current, and some others, but none had information regarding accessibility to files.

My ls -l returns

Code: [Select]

[root@mtrose /]# ls -l
total 125
-rw-------   1 root root 11264 Jan 17 10:05 aquota.group
-rw-------   1 root root 12288 Jan 17 06:34 aquota.user
drwxr-xr-x   2 root root  4096 Jan 11 04:03 bin
drwxr-xr-x   4 root root  1024 Jan 10 07:22 boot
drwxr-xr-x   2 root root  4096 Jan  9 18:45 command
drwxr-xr-x  12 root root  3940 Jan 16 05:10 dev
drwxr-xr-x  88 root root 12288 Jan 17 09:45 etc
drwxr-xr-x   4 root root  4096 Jan  9 18:51 home
drwxr-xr-x  13 root root  4096 Jan 11 04:03 lib
drwx------   2 root root 16384 Jan  9 18:40 lost+found
drwxr-xr-x   2 root root  4096 May 11  2011 media
drwxr-xr-x   3 root root  4096 Jan 10 22:20 mnt
drwxr-xr-x   7 root root  4096 Nov 28  2008 opt
drwxr-xr-t   3 root root  4096 Mar 30  2008 package
dr-xr-xr-x 235 root root     0 Jan 10 16:04 proc
drwxr-x---   6 root root  4096 Jan 13 15:15 root
drwxrwxrwx   3 root root  4096 Jan 10 15:52 rosemedia
drwxr-xr-x   3 root root 12288 Jan 11 04:03 sbin
drwxr-xr-x   4 root root     0 Jan 10 16:04 selinux
drwxr-xr-x   2 root root  4096 Jan 10 11:26 service
drwxr-xr-x   2 root root  4096 May 11  2011 srv
drwxr-xr-x  11 root root     0 Jan 10 16:04 sys
drwxrwxrwt   8 root root  4096 Jan 17 10:01 tmp
drwxr-xr-x  16 root root  4096 Jan 10 11:30 usr
drwxr-xr-x  27 root root  4096 Jan 10 11:30 var

and db accounts show globally 

Code: [Select]

globally=ibay
    AllowOverride=All
    CgiBin=disabled
    FollowSymLinks=enabled
    Gid=5007
    Group=allinclusive
    Name=Share for Everyone
    PHPBaseDir=/rosemedia/:/tmp/:/usr/:/home/e-smith/files/ibays/globally/:
    PasswordSet=no
    PublicAccess=none
    Uid=5007
    UserAccess=wr-group-rd-group


[mmccarn]

A little googling shows up some notes about samba, symlinks, and security problems:
http://www.samba.org/samba/news/symlink_attack.html

This implies that you could solve your problem by customizing /etc/samba/smb.conf to support symbolic links and "wide links", but that this might introduce security issues.

Another option would be to store the actual/real music files in the ibay, then symlink to the ibay location from your other desired access points.

[CharlieBrady]

If you want the same directory+files to appear in two different places in the directory tree, use a 'bind mount' rather than a symlink.

http://aplawrence.com/Linux/mount_bind.html

[newburns]

Thank you Charlie Brady.
I did try placing all the files in the ibay directory and doing a symlink from /var/subsonic/ but Subsonic could not access the files properly. I understand that the symlinks does not work across many directories unless "wide links" is on. However, wide links poses an issue for security purposes.
Does SME 8b7 have "wide links" off by standard?

[CharlieBrady]

Thank you Charlie Brady.

It sounds to me like you read what I said, and then promptly ignored it. C'est la vie, I suppose.

[newburns]

I'm sorry. In my head, I was responding to mmccarn. I did the mount --build immediately when I read it, and it worked without a hitch. Thanks again. I always listen to CharlieBrady!
The mount --build did the trick, but how do you remove a mount --build?
Do I just use a umount?
I know not to do an rm -rf

[CharlieBrady]

Do I just use a umount?

Yes.

BTW, it's "mount --bind", not "mount --build".

[christian]

I just came across this same issue having just upgraded from SME7 to the SME8 Beta 7. It seems the default for "wide links" in samba changed between the two versions. I too will move from symlink to mount --bind per Charlie's suggestion but does anyone know what affa's default behaviour will be with mount --bind? I'm trying to figure out if I should add "--one-file-system" to the affa parameters.

Currently I have a separate large disk symlinked into my iBay hierarchy.

[newburns]

Are you asking if AFFA will follow the mount when backing up your filesystem, or is the mount on the AFFA server?

Also, I wrote this in my /etc/fstab and wanted to be sure it was correct before I did a restart of my system. I lose my mount each restart so and this solution was the only one that seemed available

Code: [Select]

/dev/main/root          /                       ext3    usrquota,grpquota,acl        1 1
/dev/md1                /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/main/swap          swap                    swap    defaults        0 0
/rosemedia/audio/       /home/e-smith/files/ibays/globally/files/Music/ none bind 0 0

Does the spacing affect the fstab? As you can see, everything does not line up

[christian]

Are you asking if AFFA will follow the mount when backing up your filesystem, or is the mount on the AFFA server?

If Affa will follow the mount on the system to be backed up. I don't want to back up the same file system multiple times (ie. the 2 diffrent mount points being seen as 2 distinct hierarchies as opposed to the same one). For now I have excluded this part of my hierarchy explicitly (in affa) until I have time to test out what it does.

Also, I wrote this in my /etc/fstab and wanted to be sure it was correct before I did a restart of my system. I lose my mount each restart so and this solution was the only one that seemed available

Code: [Select]

/dev/main/root          /                       ext3    usrquota,grpquota,acl        1 1
/dev/md1                /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/main/swap          swap                    swap    defaults        0 0
/rosemedia/audio/       /home/e-smith/files/ibays/globally/files/Music/ none bind 0 0

Does the spacing affect the fstab? As you can see, everything does not line up

Alignment is not important. A space is a field delimiter. For bind, the syntax I have been using is

Code: [Select]

/path1 /path2 bind defaults,bind 0 0

You can use "mount -a" to test your fstab. It will read and execute the fstab and output any errors will be output.

edit: clarifying my first paragraph

[newburns]

Just for the record, AFFA follows the mount and backs up the content twice. One for each location. Not sure if there is something we can do about that, but I know I will need to revisit this as the library I am using the mount option for continues to grow.

[newburns]

Just for info
PHPSysInfo also follows the mount and shows the total space on your system, along with an additional size for however big the mounted file is (which of course is double what your system's spacing is). Multiple mounts shows my system at 42tb, if only that were true!!! 

[janet]

newburns

Not sure if there is something we can do about that,

As Christian said: "For now I have excluded this part of my hierarchy explicitly (in affa)".....

To newburns, You need to add the extra mount folder to the Exclude setting in Affa configuration to prevent that being included in the backup, refer to Affa wiki for instructions.
http://wiki.contribs.org/Affa#Job_configuration_properties

[newburns]

Wow, mary.
You are just a plethora of knowledge. I didn't think about that at all! Thankyou