CRITICAL FIX: Add safety checks to prevent breaking system files

ISSUE: Previous version could break sudo and system files
The recursive chown/chmod commands in configure_user_shares() and
create_share() could modify system directories like /usr, /etc, /home
causing critical system breakage including sudo permissions.

ROOT CAUSE:
- No validation of paths before recursive operations
- Could modify /, /usr, /home and other system directories
- Broke /usr/bin/sudo permissions (needs uid 0 and setuid bit)

SOLUTION: Added comprehensive path safety checks

New function: is_safe_path_for_permissions()
- Blacklists ALL dangerous system paths: /, /usr, /etc, /bin, /var, etc.
- Only allows /mnt/* (external disk mounts)
- Only allows /home/user/subdir (not /home or /home/user itself)
- Returns error for any system directory

Protection applied to:
1. create_share() - disk share creation (line 326)
2. configure_user_shares() - user access configuration (line 869)

Behavior:
- Safe paths (/mnt/*): Permissions applied normally
- Unsafe paths: Prints warning, skips permission changes
- Users must manually set permissions for system directories

Emergency fix instructions added to README:
- How to fix broken sudo (chown root:root /usr/bin/sudo && chmod 4755)
- Multiple recovery methods (root shell, su, recovery mode)
- Clear warning about older versions

This prevents catastrophic system breakage while still allowing
proper multi-user access for external disk shares.

APOLOGIES TO USERS: If you were affected by the previous version,
I'm deeply sorry for breaking your system. Please follow the
recovery instructions in the README.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

README.md

@@ -200,6 +200,36 @@ Perfect for initial setup or adding multiple disks at once!
 
 ## Troubleshooting
 
+### CRITICAL: If sudo is broken after running user-access
+
+**Symptoms**: `sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set`
+
+**This happened if you ran an older version (before v1.3) that modified system directories.**
+
+**Fix (choose one method):**
+
+**Method 1 - If you're still root in a shell:**
+```bash
+chown root:root /usr/bin/sudo
+chmod 4755 /usr/bin/sudo
+```
+
+**Method 2 - Switch to root user:**
+```bash
+su -
+chown root:root /usr/bin/sudo
+chmod 4755 /usr/bin/sudo
+exit
+```
+
+**Method 3 - Recovery mode:**
+1. Reboot and select recovery/single-user mode in GRUB
+2. Mount filesystem: `mount -o remount,rw /`
+3. Fix sudo: `chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo`
+4. Reboot normally
+
+**After fixing sudo, update to the latest version of FSA which has safety checks!**
+
 ### Check service status
 ```bash
 sudo systemctl status smbd nmbd

spravuj_sdileni.sh

@@ -235,6 +235,50 @@ ensure_sambashare_group() {
     fi
 }
 
+# CRITICAL SAFETY: Check if path is safe to modify recursively
+is_safe_path_for_permissions() {
+    local path="$1"
+
+    # Blacklist of DANGEROUS paths that should NEVER be modified
+    local dangerous_paths=(
+        "/"
+        "/bin"
+        "/boot"
+        "/dev"
+        "/etc"
+        "/lib"
+        "/lib64"
+        "/opt"
+        "/proc"
+        "/root"
+        "/run"
+        "/sbin"
+        "/sys"
+        "/tmp"
+        "/usr"
+        "/var"
+    )
+
+    # Check if path matches any dangerous path
+    for dangerous in "${dangerous_paths[@]}"; do
+        if [ "$path" = "$dangerous" ] || [[ "$path" == "$dangerous"/* ]]; then
+            echo "⚠️  NEBEZPEČNÉ: Odmítám měnit oprávnění pro $path (systémový adresář)"
+            return 1
+        fi
+    done
+
+    # Only allow /mnt/* and /home/*/specific-dirs (but not /home itself)
+    if [[ "$path" == /mnt/* ]]; then
+        return 0
+    elif [[ "$path" == /home/*/* ]]; then
+        # Allow /home/user/something but not /home or /home/user
+        return 0
+    else
+        echo "⚠️  VAROVÁNÍ: $path není v bezpečné cestě (/mnt/* nebo /home/user/dir)"
+        return 1
+    fi
+}
+
 # OPRAVENÁ FUNKCE: Vytvoří sdílení se správným formátováním a `force user`
 create_share() {
     local share_name="$1"
@@ -278,11 +322,15 @@ EOT
                 usermod -a -G sambashare "$DETECTED_USER" 2>/dev/null || true
             fi
 
-            # Nastav filesystem permissions
-            if [ -d "$share_path" ]; then
+            # Nastav filesystem permissions - ONLY FOR SAFE PATHS
+            if [ -d "$share_path" ] && is_safe_path_for_permissions "$share_path"; then
+                echo "  - Nastavuji oprávnění pro $share_path"
                 chown -R :sambashare "$share_path" 2>/dev/null || true
                 chmod -R g+rw "$share_path" 2>/dev/null || true
                 chmod g+s "$share_path" 2>/dev/null || true
+            elif [ -d "$share_path" ]; then
+                echo "  - ⚠️  Přeskakuji nastavení oprávnění (systémový adresář)"
+                echo "  - Pro přístup nastavte oprávnění manuálně"
             fi
 
             cat <<EOT >> "$CONFIG_FILE"
@@ -817,11 +865,16 @@ configure_user_shares() {
         local share_path=$(grep -A 10 "^\[$share\]" "$CONFIG_FILE" | grep "^   path = " | head -1 | sed 's/^   path = //')
 
         if [ -n "$share_path" ] && [ -d "$share_path" ]; then
-            # Nastav filesystem permissions
+            # CRITICAL SAFETY: Only modify permissions on safe paths
+            if is_safe_path_for_permissions "$share_path"; then
                 echo "  - Nastavuji filesystem oprávnění pro $share_path"
                 chown -R :sambashare "$share_path" 2>/dev/null || true
                 chmod -R g+rw "$share_path" 2>/dev/null || true
                 chmod g+s "$share_path" 2>/dev/null || true  # SetGID bit
+            else
+                echo "  - ⚠️  PŘESKAKUJI: $share_path je systémový adresář"
+                echo "  - Nastavte oprávnění manuálně pokud je potřeba"
+            fi
         fi
 
         # Zkontroluj jestli sdílení má valid users