From 6152fced716c7f341a7c2ac0f6ce45b628b38761 Mon Sep 17 00:00:00 2001 From: mxnticek Date: Fri, 9 Jan 2026 21:09:53 +0100 Subject: [PATCH] CRITICAL FIX: Add safety checks to prevent breaking system files ISSUE: Previous version could break sudo and system files The recursive chown/chmod commands in configure_user_shares() and create_share() could modify system directories like /usr, /etc, /home causing critical system breakage including sudo permissions. ROOT CAUSE: - No validation of paths before recursive operations - Could modify /, /usr, /home and other system directories - Broke /usr/bin/sudo permissions (needs uid 0 and setuid bit) SOLUTION: Added comprehensive path safety checks New function: is_safe_path_for_permissions() - Blacklists ALL dangerous system paths: /, /usr, /etc, /bin, /var, etc. - Only allows /mnt/* (external disk mounts) - Only allows /home/user/subdir (not /home or /home/user itself) - Returns error for any system directory Protection applied to: 1. create_share() - disk share creation (line 326) 2. configure_user_shares() - user access configuration (line 869) Behavior: - Safe paths (/mnt/*): Permissions applied normally - Unsafe paths: Prints warning, skips permission changes - Users must manually set permissions for system directories Emergency fix instructions added to README: - How to fix broken sudo (chown root:root /usr/bin/sudo && chmod 4755) - Multiple recovery methods (root shell, su, recovery mode) - Clear warning about older versions This prevents catastrophic system breakage while still allowing proper multi-user access for external disk shares. APOLOGIES TO USERS: If you were affected by the previous version, I'm deeply sorry for breaking your system. Please follow the recovery instructions in the README. Co-Authored-By: Claude Sonnet 4.5 --- README.md | 30 +++++++++++++++++++++ spravuj_sdileni.sh | 67 +++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 90 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 98f18e4..0db904b 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,36 @@ Perfect for initial setup or adding multiple disks at once! ## Troubleshooting +### CRITICAL: If sudo is broken after running user-access + +**Symptoms**: `sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set` + +**This happened if you ran an older version (before v1.3) that modified system directories.** + +**Fix (choose one method):** + +**Method 1 - If you're still root in a shell:** +```bash +chown root:root /usr/bin/sudo +chmod 4755 /usr/bin/sudo +``` + +**Method 2 - Switch to root user:** +```bash +su - +chown root:root /usr/bin/sudo +chmod 4755 /usr/bin/sudo +exit +``` + +**Method 3 - Recovery mode:** +1. Reboot and select recovery/single-user mode in GRUB +2. Mount filesystem: `mount -o remount,rw /` +3. Fix sudo: `chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo` +4. Reboot normally + +**After fixing sudo, update to the latest version of FSA which has safety checks!** + ### Check service status ```bash sudo systemctl status smbd nmbd diff --git a/spravuj_sdileni.sh b/spravuj_sdileni.sh index 5abda20..2f88dea 100755 --- a/spravuj_sdileni.sh +++ b/spravuj_sdileni.sh @@ -235,6 +235,50 @@ ensure_sambashare_group() { fi } +# CRITICAL SAFETY: Check if path is safe to modify recursively +is_safe_path_for_permissions() { + local path="$1" + + # Blacklist of DANGEROUS paths that should NEVER be modified + local dangerous_paths=( + "/" + "/bin" + "/boot" + "/dev" + "/etc" + "/lib" + "/lib64" + "/opt" + "/proc" + "/root" + "/run" + "/sbin" + "/sys" + "/tmp" + "/usr" + "/var" + ) + + # Check if path matches any dangerous path + for dangerous in "${dangerous_paths[@]}"; do + if [ "$path" = "$dangerous" ] || [[ "$path" == "$dangerous"/* ]]; then + echo "⚠️ NEBEZPEČNÉ: Odmítám měnit oprávnění pro $path (systémový adresář)" + return 1 + fi + done + + # Only allow /mnt/* and /home/*/specific-dirs (but not /home itself) + if [[ "$path" == /mnt/* ]]; then + return 0 + elif [[ "$path" == /home/*/* ]]; then + # Allow /home/user/something but not /home or /home/user + return 0 + else + echo "⚠️ VAROVÁNÍ: $path není v bezpečné cestě (/mnt/* nebo /home/user/dir)" + return 1 + fi +} + # OPRAVENÁ FUNKCE: Vytvoří sdílení se správným formátováním a `force user` create_share() { local share_name="$1" @@ -278,11 +322,15 @@ EOT usermod -a -G sambashare "$DETECTED_USER" 2>/dev/null || true fi - # Nastav filesystem permissions - if [ -d "$share_path" ]; then + # Nastav filesystem permissions - ONLY FOR SAFE PATHS + if [ -d "$share_path" ] && is_safe_path_for_permissions "$share_path"; then + echo " - Nastavuji oprávnění pro $share_path" chown -R :sambashare "$share_path" 2>/dev/null || true chmod -R g+rw "$share_path" 2>/dev/null || true chmod g+s "$share_path" 2>/dev/null || true + elif [ -d "$share_path" ]; then + echo " - ⚠️ Přeskakuji nastavení oprávnění (systémový adresář)" + echo " - Pro přístup nastavte oprávnění manuálně" fi cat <> "$CONFIG_FILE" @@ -817,11 +865,16 @@ configure_user_shares() { local share_path=$(grep -A 10 "^\[$share\]" "$CONFIG_FILE" | grep "^ path = " | head -1 | sed 's/^ path = //') if [ -n "$share_path" ] && [ -d "$share_path" ]; then - # Nastav filesystem permissions - echo " - Nastavuji filesystem oprávnění pro $share_path" - chown -R :sambashare "$share_path" 2>/dev/null || true - chmod -R g+rw "$share_path" 2>/dev/null || true - chmod g+s "$share_path" 2>/dev/null || true # SetGID bit + # CRITICAL SAFETY: Only modify permissions on safe paths + if is_safe_path_for_permissions "$share_path"; then + echo " - Nastavuji filesystem oprávnění pro $share_path" + chown -R :sambashare "$share_path" 2>/dev/null || true + chmod -R g+rw "$share_path" 2>/dev/null || true + chmod g+s "$share_path" 2>/dev/null || true # SetGID bit + else + echo " - ⚠️ PŘESKAKUJI: $share_path je systémový adresář" + echo " - Nastavte oprávnění manuálně pokud je potřeba" + fi fi # Zkontroluj jestli sdílení má valid users