From 32256f1f5fe65b178ddf4f18aa36c8e4cef31865 Mon Sep 17 00:00:00 2001 From: mxnticek Date: Fri, 9 Jan 2026 21:05:45 +0100 Subject: [PATCH] SECURITY: Remove dangerous root filesystem share Removed server-root share that exposed entire / filesystem via Samba. Why this is dangerous: - Exposes all system files (/etc/passwd, /etc/shadow, etc.) - Allows modification of system configuration - Could allow privilege escalation - Risk of accidental deletion of critical files - No legitimate use case for sharing entire root filesystem Changes: - Removed "server-root" from default SHARES array - Removed "root" share type from create_share() function - Removed server-root creation from create-all command - Updated README to remove Root Share documentation - Updated create-all description to reflect home directory only Added to README: - Section explaining how to fix existing users with permission issues - Clear warning: "Do NOT run init - that would delete your configuration" - Instructions to use user-access to fix permissions instead Users should only share specific directories they need, not the entire filesystem! Co-Authored-By: Claude Sonnet 4.5 --- README.md | 23 ++++++++++++++++------- spravuj_sdileni.sh | 16 ---------------- 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index b11fad1..98f18e4 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,21 @@ This means: - ✅ Proper Unix permissions are maintained - ✅ No permission denied errors +### Fixing Existing Users + +If you created users before the permission system was fixed and they're getting "permission denied" errors: + +```bash +sudo ./spravuj_sdileni.sh user-access +``` + +Select the shares they should have access to. This will: +- Add them to the sambashare group +- Fix filesystem permissions +- Update share configuration + +**Do NOT run `init`** - that would delete your entire configuration! + ## Share Types The script creates different types of shares: @@ -142,12 +157,6 @@ The script creates different types of shares: - Guest access enabled - Shares your user's home directory -### Root Share -- Full filesystem access -- Requires authentication -- Only accessible by the detected user -- Runs with root privileges - ### Disk Shares - Automatically configured for external disks - Custom dfree scripts for accurate disk space reporting @@ -181,7 +190,7 @@ sudo ./spravuj_sdileni.sh add-global sudo ./spravuj_sdileni.sh create-all ``` This comprehensive command will: -1. Create static shares (home directory and root filesystem) +1. Create your home directory share 2. Detect all disk partitions on the system 3. Automatically mount any unmounted disks to `/mnt/` 4. Add unmounted disks to `/etc/fstab` for persistence across reboots diff --git a/spravuj_sdileni.sh b/spravuj_sdileni.sh index 39ac4bb..5abda20 100755 --- a/spravuj_sdileni.sh +++ b/spravuj_sdileni.sh @@ -84,7 +84,6 @@ DETECTED_INTERFACES=$(ip -o link show | awk -F': ' '{print $2}' | grep -v '^lo$' # --- Nastavení sdílení --- declare -A SHARES=( ["${DETECTED_USER}-home"]="/home/${DETECTED_USER}|Domovska slozka uzivatele ${DETECTED_USER}|home" - ["server-root"]="/|Celý server (root filesystem)|root" ) CONFIG_FILE="/etc/samba/smb.conf" @@ -266,20 +265,6 @@ create_share() { guest ok = yes hosts allow = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 100.64.0.0/10 comment = $comment -EOT - ;; - "root") cat <> "$CONFIG_FILE" - -[$share_name] - path = $share_path - writable = yes - guest ok = no - valid users = $DETECTED_USER - admin users = $DETECTED_USER - force user = root - force group = root - hosts allow = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 100.64.0.0/10 - comment = $comment EOT ;; "disk") @@ -358,7 +343,6 @@ create_all() { # 1. Vytvoř statická sdílení echo "Krok 1/4: Vytvářím statická sdílení..." create_share "${DETECTED_USER}-home" - create_share "server-root" echo "" echo "Krok 2/4: Hledám diskové oddíly..."