From efa529feef66a921632c6817ddbee9bb3ee721df Mon Sep 17 00:00:00 2001
From: Struchkov Mark <mstruchkov@nota.tech>
Date: Wed, 7 Jan 2026 22:27:15 +0300
Subject: [PATCH] feat: add enhanced security option (-E flag / SECURE env)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add new option to enable enhanced SMB security:
- server signing = mandatory (prevents packet tampering)
- client signing = mandatory (ensures client authenticity)
- smb encrypt = desired (encrypts traffic when supported)

Usage:
- CLI: -E flag
- Environment: SECURE=true

Note: Some older clients may not support these features.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 CHANGELOG.md |  5 +++++
 README.md    | 19 +++++++++++++++++++
 samba.sh     | 18 +++++++++++++++++-
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5fd7d57..91dd868 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
   - `max xmit = 65535` — maximum packet size for better throughput
   - `write cache size = 1048576` — 1MB write cache for improved write performance
 
+- **Enhanced security option** (`-E` flag / `SECURE` env variable)
+  - Enables mandatory server and client signing
+  - Enables SMB encryption (desired mode)
+  - Protects against man-in-the-middle attacks
+
 ### Security
 
 - **Secure password handling in user() function** (samba.sh)
diff --git a/README.md b/README.md
index ee5a7bf..b13cd4f 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,7 @@ docker run -it --rm upagge/samba -h
 | `-w "<workgroup>"` | Configure workgroup (domain) |
 | `-W` | Allow wide symbolic links |
 | `-I "<path>"` | Add include at the end of smb.conf |
+| `-E` | Enable enhanced security (signing + encryption) |
 
 ### Share Parameter Format (-s)
 
@@ -135,6 +136,7 @@ docker run -it --rm upagge/samba -h
 | `TZ` | Timezone (e.g., `Europe/London`) |
 | `USER` | User configuration (supports USER2, USER3...) |
 | `WIDELINKS` | Allow wide symbolic links |
+| `SECURE` | Enable enhanced security (signing + encryption) |
 | `WORKGROUP` | Workgroup |
 | `USERID` | UID for smbuser |
 | `GROUPID` | GID for smb group |
@@ -313,6 +315,23 @@ docker run -it --network host \
 - Store passwords in `.env` file or Docker secrets
 - Restrict share access to specific users
 
+### Enhanced Security Mode
+
+For environments requiring additional protection, use the `-E` flag or `SECURE=true` environment variable:
+
+```bash
+docker run -it -p 445:445 -d upagge/samba -E -p \
+    -u "user;password" \
+    -s "secure_share;/data;yes;no;no;user"
+```
+
+This enables:
+- **Server signing** (mandatory) — prevents packet tampering
+- **Client signing** (mandatory) — ensures client authenticity
+- **SMB encryption** (desired) — encrypts traffic when client supports it
+
+**Note**: Some older clients may not support these features. Only enable if all clients are compatible.
+
 ## Feedback
 
 If you have any problems or questions, please create an [issue on GitHub](https://github.com/upagge/samba/issues).
diff --git a/samba.sh b/samba.sh
index 3dc1bd3..a8e0e66 100755
--- a/samba.sh
+++ b/samba.sh
@@ -275,6 +275,18 @@ widelinks() {
     sed -i 's/\(follow symlinks = yes\)/'"$replace"'/' "$SMB_CONF"
 }
 
+### secure: enable enhanced security (signing and encryption)
+# Arguments:
+#   none)
+# Return: result
+secure() {
+    sed -i '/\[global\]/a \
+   # Enhanced security settings\
+   server signing = mandatory\
+   client signing = mandatory\
+   smb encrypt = desired' "$SMB_CONF"
+}
+
 ### usage: Help
 # Arguments:
 #   none)
@@ -325,6 +337,8 @@ Options (fields in '[]' are optional, '<>' are required):
     -I          Add an include option at the end of the smb.conf
                 required arg: \"<include file path>\"
                 <include file path> in the container, e.g. a bind mount
+    -E          Enable enhanced security (signing and encryption)
+                Enables: server signing, client signing, SMB encryption
 
 The 'command' (if provided and valid) will be run instead of samba
 " >&2
@@ -334,10 +348,11 @@ The 'command' (if provided and valid) will be run instead of samba
 [[ "${USERID:-""}" =~ ^[0-9]+$ ]] && usermod -u $USERID -o smbuser
 [[ "${GROUPID:-""}" =~ ^[0-9]+$ ]] && groupmod -g $GROUPID -o smb
 
-while getopts ":hc:G:g:i:nprs:Stu:Ww:I:" opt; do
+while getopts ":hc:EG:g:i:nprs:Stu:Ww:I:" opt; do
     case "$opt" in
         h) usage ;;
         c) charmap "$OPTARG" ;;
+        E) secure ;;
         G) parse_args "$OPTARG"; generic "${PARSED_ARGS[@]}" ;;
         g) global "$OPTARG" ;;
         i) import "$OPTARG" ;;
@@ -377,6 +392,7 @@ while read i; do
 done < <(env | awk '/^USER[0-9=_]/ {sub (/^[^=]*=/, "", $0); print}')
 [[ "${WORKGROUP:-""}" ]] && workgroup "$WORKGROUP"
 [[ "${WIDELINKS:-""}" ]] && widelinks
+[[ "${SECURE:-""}" ]] && secure
 [[ "${INCLUDE:-""}" ]] && include "$INCLUDE"
 [[ "${PERMISSIONS:-""}" ]] && perms &