DockerFiles/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: add enhanced security option (-E flag / SECURE env)

Browse Source 
Add new option to enable enhanced SMB security:
- server signing = mandatory (prevents packet tampering)
- client signing = mandatory (ensures client authenticity)
- smb encrypt = desired (encrypts traffic when supported)

Usage:
- CLI: -E flag
- Environment: SECURE=true

Note: Some older clients may not support these features.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Struchkov Mark
2026-01-07 22:27:15 +03:00
parent 8c17a559b9
commit efa529feef
3 changed files with 41 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- `max xmit = 65535` — maximum packet size for better throughput - `max xmit = 65535` — maximum packet size for better throughput
- `write cache size = 1048576` — 1MB write cache for improved write performance - `write cache size = 1048576` — 1MB write cache for improved write performance
- **Enhanced security option** (`-E` flag / `SECURE` env variable)
- Enables mandatory server and client signing
- Enables SMB encryption (desired mode)
- Protects against man-in-the-middle attacks
### Security ### Security
- **Secure password handling in user() function** (samba.sh) - **Secure password handling in user() function** (samba.sh)

19
README.md
View File

@@ -85,6 +85,7 @@ docker run -it --rm upagge/samba -h
| `-w "<workgroup>"` | Configure workgroup (domain) | | `-w "<workgroup>"` | Configure workgroup (domain) |
| `-W` | Allow wide symbolic links | | `-W` | Allow wide symbolic links |
| `-I "<path>"` | Add include at the end of smb.conf | | `-I "<path>"` | Add include at the end of smb.conf |
| `-E` | Enable enhanced security (signing + encryption) |
### Share Parameter Format (-s) ### Share Parameter Format (-s)
@@ -135,6 +136,7 @@ docker run -it --rm upagge/samba -h
| `TZ` | Timezone (e.g., `Europe/London`) | | `TZ` | Timezone (e.g., `Europe/London`) |
| `USER` | User configuration (supports USER2, USER3...) | | `USER` | User configuration (supports USER2, USER3...) |
| `WIDELINKS` | Allow wide symbolic links | | `WIDELINKS` | Allow wide symbolic links |
| `SECURE` | Enable enhanced security (signing + encryption) |
| `WORKGROUP` | Workgroup | | `WORKGROUP` | Workgroup |
| `USERID` | UID for smbuser | | `USERID` | UID for smbuser |
| `GROUPID` | GID for smb group | | `GROUPID` | GID for smb group |
@@ -313,6 +315,23 @@ docker run -it --network host \
- Store passwords in `.env` file or Docker secrets - Store passwords in `.env` file or Docker secrets
- Restrict share access to specific users - Restrict share access to specific users
### Enhanced Security Mode
For environments requiring additional protection, use the `-E` flag or `SECURE=true` environment variable:
```bash
docker run -it -p 445:445 -d upagge/samba -E -p \
-u "user;password" \
-s "secure_share;/data;yes;no;no;user"
```
This enables:
- **Server signing** (mandatory) — prevents packet tampering
- **Client signing** (mandatory) — ensures client authenticity
- **SMB encryption** (desired) — encrypts traffic when client supports it
**Note**: Some older clients may not support these features. Only enable if all clients are compatible.
## Feedback ## Feedback
If you have any problems or questions, please create an [issue on GitHub](https://github.com/upagge/samba/issues). If you have any problems or questions, please create an [issue on GitHub](https://github.com/upagge/samba/issues).

18
samba.sh
View File

@@ -275,6 +275,18 @@ widelinks() {
sed -i 's/\(follow symlinks = yes\)/'"$replace"'/' "$SMB_CONF" sed -i 's/\(follow symlinks = yes\)/'"$replace"'/' "$SMB_CONF"
} }
### secure: enable enhanced security (signing and encryption)
# Arguments:
# none)
# Return: result
secure() {
sed -i '/\[global\]/a \
# Enhanced security settings\
server signing = mandatory\
client signing = mandatory\
smb encrypt = desired' "$SMB_CONF"
}
### usage: Help ### usage: Help
# Arguments: # Arguments:
# none) # none)
@@ -325,6 +337,8 @@ Options (fields in '[]' are optional, '<>' are required):
-I Add an include option at the end of the smb.conf -I Add an include option at the end of the smb.conf
required arg: \"<include file path>\" required arg: \"<include file path>\"
<include file path> in the container, e.g. a bind mount <include file path> in the container, e.g. a bind mount
-E Enable enhanced security (signing and encryption)
Enables: server signing, client signing, SMB encryption
The 'command' (if provided and valid) will be run instead of samba The 'command' (if provided and valid) will be run instead of samba
" >&2 " >&2
@@ -334,10 +348,11 @@ The 'command' (if provided and valid) will be run instead of samba
[[ "${USERID:-""}" =~ ^[0-9]+$ ]] && usermod -u $USERID -o smbuser [[ "${USERID:-""}" =~ ^[0-9]+$ ]] && usermod -u $USERID -o smbuser
[[ "${GROUPID:-""}" =~ ^[0-9]+$ ]] && groupmod -g $GROUPID -o smb [[ "${GROUPID:-""}" =~ ^[0-9]+$ ]] && groupmod -g $GROUPID -o smb
while getopts ":hc:G:g:i:nprs:Stu:Ww:I:" opt; do while getopts ":hc:EG:g:i:nprs:Stu:Ww:I:" opt; do
case "$opt" in case "$opt" in
h) usage ;; h) usage ;;
c) charmap "$OPTARG" ;; c) charmap "$OPTARG" ;;
E) secure ;;
G) parse_args "$OPTARG"; generic "${PARSED_ARGS[@]}" ;; G) parse_args "$OPTARG"; generic "${PARSED_ARGS[@]}" ;;
g) global "$OPTARG" ;; g) global "$OPTARG" ;;
i) import "$OPTARG" ;; i) import "$OPTARG" ;;
@@ -377,6 +392,7 @@ while read i; do
done < <(env | awk '/^USER[0-9=_]/ {sub (/^[^=]*=/, "", $0); print}') done < <(env | awk '/^USER[0-9=_]/ {sub (/^[^=]*=/, "", $0); print}')
[[ "${WORKGROUP:-""}" ]] && workgroup "$WORKGROUP" [[ "${WORKGROUP:-""}" ]] && workgroup "$WORKGROUP"
[[ "${WIDELINKS:-""}" ]] && widelinks [[ "${WIDELINKS:-""}" ]] && widelinks
[[ "${SECURE:-""}" ]] && secure
[[ "${INCLUDE:-""}" ]] && include "$INCLUDE" [[ "${INCLUDE:-""}" ]] && include "$INCLUDE"
[[ "${PERMISSIONS:-""}" ]] && perms & [[ "${PERMISSIONS:-""}" ]] && perms &