DockerFiles/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b51d0ffcda9fc755cae4927c49a1b0f208f2d0cf
samba/CHANGELOG.md
Struchkov Mark efa529feef feat: add enhanced security option (-E flag / SECURE env) 
Add new option to enable enhanced SMB security:
- server signing = mandatory (prevents packet tampering)
- client signing = mandatory (ensures client authenticity)
- smb encrypt = desired (encrypts traffic when supported)

Usage:
- CLI: -E flag
- Environment: SECURE=true

Note: Some older clients may not support these features.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-07 22:27:15 +03:00

3.2 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

[Unreleased]

Added

  • Performance optimizations (Dockerfile)

    • dead time = 30 — disconnect idle clients after 30 seconds to free resources
    • large readwrite = yes — improved performance for large file transfers
    • max xmit = 65535 — maximum packet size for better throughput
    • write cache size = 1048576 — 1MB write cache for improved write performance

  • Enhanced security option (-E flag / SECURE env variable)

    • Enables mandatory server and client signing
    • Enables SMB encryption (desired mode)
    • Protects against man-in-the-middle attacks

Security

  • Secure password handling in user() function (samba.sh)

    • Replaced echo with heredoc for password input to prevent exposure in process list
    • Password is no longer visible via ps or /proc

  • Input validation for users and shares (samba.sh)

    • Added username validation (alphanumeric, underscore, hyphen only)
    • Added share name validation (alphanumeric, space, underscore, hyphen only)
    • Added path validation (must be absolute path)

  • Improved command execution safety (samba.sh)

    • Replaced which with POSIX-compliant command -v
    • Added logging for custom command execution
    • Improved error messages

Fixed

  • Fixed chown syntax error in perms function (samba.sh:122)

    • Changed smbuser. to smbuser:smb for correct group assignment

  • Fixed paths with spaces handling in perms function (samba.sh:121)

    • Replaced for loop with while IFS= read -r to correctly handle paths containing spaces

  • Fixed unquoted variables in import function (samba.sh:112-113)

    • Added quotes around $file variable to prevent word splitting issues

  • Removed /etc from VOLUME declaration (Dockerfile:83)

    • /etc is too broad and can cause unexpected behavior with system configurations

  • Share-specific parameters not overriding global settings (#issue)

    Problem: When creating public shares with guest write access, the -G parameters for individual shares did not override the global force user and force group settings from the base smb.conf.

    Example that didn't work:

    -s "public;/cloud/share;yes;no;yes"
-G "public;force user = nobody"
-G "public;force group = nogroup"

    testparm -s showed that the share used global force user = smbuser and force group = smb instead of the specified values.

    Root cause:

    1. When using environment variables, GENERIC was processed before SHARE, so share sections didn't exist when -G options tried to modify them.
    2. The regex \s in sed was not POSIX-compatible for Alpine/busybox.

    Solution:

    • Reordered environment variable processing: SHARE is now processed before GENERIC
    • Replaced \s with POSIX-compatible [[:space:]] in regex patterns
    • Added ^ anchor to sed append command for precise matching

Changed

  • Environment variable processing order: GLOBAL -> SHARE -> GENERIC (was: GENERIC -> GLOBAL -> SHARE)