DockerFiles/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8c17a559b909930295beccdd0fef737868e02ac6
samba/CHANGELOG.md
Struchkov Mark 8c17a559b9 security: fix critical security issues 
- Use heredoc instead of echo for password input (not visible in ps/proc)
- Add username validation (alphanumeric, underscore, hyphen only)
- Add share name validation (alphanumeric, space, underscore, hyphen)
- Add path validation (must be absolute)
- Replace 'which' with POSIX-compliant 'command -v'
- Add logging for custom command execution
- Improve error handling with proper quoting

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-07 22:21:10 +03:00

3.0 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

[Unreleased]

Added

  • Performance optimizations (Dockerfile)
    • dead time = 30 — disconnect idle clients after 30 seconds to free resources
    • large readwrite = yes — improved performance for large file transfers
    • max xmit = 65535 — maximum packet size for better throughput
    • write cache size = 1048576 — 1MB write cache for improved write performance

Security

  • Secure password handling in user() function (samba.sh)

    • Replaced echo with heredoc for password input to prevent exposure in process list
    • Password is no longer visible via ps or /proc

  • Input validation for users and shares (samba.sh)

    • Added username validation (alphanumeric, underscore, hyphen only)
    • Added share name validation (alphanumeric, space, underscore, hyphen only)
    • Added path validation (must be absolute path)

  • Improved command execution safety (samba.sh)

    • Replaced which with POSIX-compliant command -v
    • Added logging for custom command execution
    • Improved error messages

Fixed

  • Fixed chown syntax error in perms function (samba.sh:122)

    • Changed smbuser. to smbuser:smb for correct group assignment

  • Fixed paths with spaces handling in perms function (samba.sh:121)

    • Replaced for loop with while IFS= read -r to correctly handle paths containing spaces

  • Fixed unquoted variables in import function (samba.sh:112-113)

    • Added quotes around $file variable to prevent word splitting issues

  • Removed /etc from VOLUME declaration (Dockerfile:83)

    • /etc is too broad and can cause unexpected behavior with system configurations

  • Share-specific parameters not overriding global settings (#issue)

    Problem: When creating public shares with guest write access, the -G parameters for individual shares did not override the global force user and force group settings from the base smb.conf.

    Example that didn't work:

    -s "public;/cloud/share;yes;no;yes"
-G "public;force user = nobody"
-G "public;force group = nogroup"

    testparm -s showed that the share used global force user = smbuser and force group = smb instead of the specified values.

    Root cause:

    1. When using environment variables, GENERIC was processed before SHARE, so share sections didn't exist when -G options tried to modify them.
    2. The regex \s in sed was not POSIX-compatible for Alpine/busybox.

    Solution:

    • Reordered environment variable processing: SHARE is now processed before GENERIC
    • Replaced \s with POSIX-compatible [[:space:]] in regex patterns
    • Added ^ anchor to sed append command for precise matching

Changed

  • Environment variable processing order: GLOBAL -> SHARE -> GENERIC (was: GENERIC -> GLOBAL -> SHARE)