DockerFiles/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8c17a559b909930295beccdd0fef737868e02ac6
samba/CHANGELOG.md
Struchkov Mark 8c17a559b9 security: fix critical security issues 
- Use heredoc instead of echo for password input (not visible in ps/proc)
- Add username validation (alphanumeric, underscore, hyphen only)
- Add share name validation (alphanumeric, space, underscore, hyphen)
- Add path validation (must be absolute)
- Replace 'which' with POSIX-compliant 'command -v'
- Add logging for custom command execution
- Improve error handling with proper quoting

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-07 22:21:10 +03:00

72 lines
3.0 KiB
Markdown
Raw Blame History

# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [Unreleased]
### Added
- **Performance optimizations** (Dockerfile)
- `dead time = 30` — disconnect idle clients after 30 seconds to free resources
- `large readwrite = yes` — improved performance for large file transfers
- `max xmit = 65535` — maximum packet size for better throughput
- `write cache size = 1048576` — 1MB write cache for improved write performance
### Security
- **Secure password handling in user() function** (samba.sh)
- Replaced `echo` with heredoc for password input to prevent exposure in process list
- Password is no longer visible via `ps` or `/proc`
- **Input validation for users and shares** (samba.sh)
- Added username validation (alphanumeric, underscore, hyphen only)
- Added share name validation (alphanumeric, space, underscore, hyphen only)
- Added path validation (must be absolute path)
- **Improved command execution safety** (samba.sh)
- Replaced `which` with POSIX-compliant `command -v`
- Added logging for custom command execution
- Improved error messages
### Fixed
- **Fixed chown syntax error in perms function** (samba.sh:122)
- Changed `smbuser.` to `smbuser:smb` for correct group assignment
- **Fixed paths with spaces handling in perms function** (samba.sh:121)
- Replaced `for` loop with `while IFS= read -r` to correctly handle paths containing spaces
- **Fixed unquoted variables in import function** (samba.sh:112-113)
- Added quotes around `$file` variable to prevent word splitting issues
- **Removed /etc from VOLUME declaration** (Dockerfile:83)
- `/etc` is too broad and can cause unexpected behavior with system configurations
- **Share-specific parameters not overriding global settings** ([#issue](https://github.com/upagge/samba/issues))
**Problem**: When creating public shares with guest write access, the `-G` parameters for individual shares did not override the global `force user` and `force group` settings from the base `smb.conf`.
Example that didn't work:
```bash
-s "public;/cloud/share;yes;no;yes"
-G "public;force user = nobody"
-G "public;force group = nogroup"
```
`testparm -s` showed that the share used global `force user = smbuser` and `force group = smb` instead of the specified values.
**Root cause**:
1. When using environment variables, `GENERIC` was processed **before** `SHARE`, so share sections didn't exist when `-G` options tried to modify them.
2. The regex `\s` in sed was not POSIX-compatible for Alpine/busybox.
**Solution**:
- Reordered environment variable processing: `SHARE` is now processed before `GENERIC`
- Replaced `\s` with POSIX-compatible `[[:space:]]` in regex patterns
- Added `^` anchor to sed append command for precise matching
### Changed
- Environment variable processing order: `GLOBAL` -> `SHARE` -> `GENERIC` (was: `GENERIC` -> `GLOBAL` -> `SHARE`)
Reference in New Issue View Git Blame Copy Permalink