mxnticek 6152fced71 CRITICAL FIX: Add safety checks to prevent breaking system files

ISSUE: Previous version could break sudo and system files
The recursive chown/chmod commands in configure_user_shares() and
create_share() could modify system directories like /usr, /etc, /home
causing critical system breakage including sudo permissions.

ROOT CAUSE:
- No validation of paths before recursive operations
- Could modify /, /usr, /home and other system directories
- Broke /usr/bin/sudo permissions (needs uid 0 and setuid bit)

SOLUTION: Added comprehensive path safety checks

New function: is_safe_path_for_permissions()
- Blacklists ALL dangerous system paths: /, /usr, /etc, /bin, /var, etc.
- Only allows /mnt/* (external disk mounts)
- Only allows /home/user/subdir (not /home or /home/user itself)
- Returns error for any system directory

Protection applied to:
1. create_share() - disk share creation (line 326)
2. configure_user_shares() - user access configuration (line 869)

Behavior:
- Safe paths (/mnt/*): Permissions applied normally
- Unsafe paths: Prints warning, skips permission changes
- Users must manually set permissions for system directories

Emergency fix instructions added to README:
- How to fix broken sudo (chown root:root /usr/bin/sudo && chmod 4755)
- Multiple recovery methods (root shell, su, recovery mode)
- Clear warning about older versions

This prevents catastrophic system breakage while still allowing
proper multi-user access for external disk shares.

APOLOGIES TO USERS: If you were affected by the previous version,
I'm deeply sorry for breaking your system. Please follow the
recovery instructions in the README.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-01-09 21:09:53 +01:00

6.5 KiB

Raw Permalink Blame History

FSA - Fucking Samba Ass

Universal Samba share management script that works across all major Linux distributions.

Features

🔍 Auto-detection: Automatically detects your Linux distribution
📦 Auto-installation: Installs Samba if not already present
👤 User-aware: Automatically detects the current user
🌐 Network-aware: Auto-detects network interfaces
💾 Disk management: Discovers and manages disk shares
🔄 Persistent mounts: Optionally adds disks to /etc/fstab for auto-mount on boot
🛡️ Safe: Creates backups before modifying configuration

Supported Distributions

Arch Linux / Manjaro
Debian / Ubuntu / Linux Mint / Pop!_OS
Fedora
RHEL / CentOS / Rocky Linux / AlmaLinux
openSUSE / SLES

Installation

Download the script:

wget https://forgejo.mxnticek.eu/mxnticek/FSA/raw/branch/main/spravuj_sdileni.sh
chmod +x spravuj_sdileni.sh

Run with sudo (the script will auto-install Samba if needed):

sudo ./spravuj_sdileni.sh

Usage

Initialize Configuration

Create a fresh Samba configuration with your user's home directory:

sudo ./spravuj_sdileni.sh init

Temporary mount (until reboot):

sudo ./spravuj_sdileni.sh mount-share

Permanent mount (adds to /etc/fstab):

sudo ./spravuj_sdileni.sh mount-share --mode=always

Manage Shares

Discover available disks:

sudo ./spravuj_sdileni.sh discover

Shows all detected disk partitions with their mount status, labels, and available space.

List configured shares:

sudo ./spravuj_sdileni.sh list

Create a specific share:

sudo ./spravuj_sdileni.sh create <share-name>

Delete a share:

sudo ./spravuj_sdileni.sh delete <share-name>

Auto-create shares for all mounted disks:

sudo ./spravuj_sdileni.sh auto-disks

User Management

Create a new Samba user:

sudo ./spravuj_sdileni.sh user-create [username]

This will:

Create a system user if it doesn't exist (with no shell access)
Prompt for a Samba password
Optionally configure which shares the user can access

List all Samba users:

sudo ./spravuj_sdileni.sh user-list

Configure share access for a user:

sudo ./spravuj_sdileni.sh user-access [username]

Interactively select which shares the user can access. This command:

Adds the user to the sambashare group
Sets proper filesystem permissions (group ownership + read/write)
Removes single-user restrictions (force user) from shares
Enables multi-user access with proper file ownership

Revoke user access from a share:

sudo ./spravuj_sdileni.sh user-revoke <username> <share-name>

Delete a Samba user:

sudo ./spravuj_sdileni.sh user-delete [username]

Optionally removes the system user as well.

How Permissions Work

FSA uses a group-based permission system for secure multi-user access:

sambashare Group: All Samba users are added to this group
Filesystem Permissions: Share directories are owned by group sambashare with read/write access
SetGID Bit: Ensures new files inherit the correct group ownership
No Force User: Multi-user shares don't force a specific user, preserving actual file ownership

This means:

✅ Multiple users can read/write files
✅ Files show the actual creator's ownership
✅ Proper Unix permissions are maintained
✅ No permission denied errors

Fixing Existing Users

If you created users before the permission system was fixed and they're getting "permission denied" errors:

sudo ./spravuj_sdileni.sh user-access <username>

Select the shares they should have access to. This will:

Add them to the sambashare group
Fix filesystem permissions
Update share configuration

Do NOT run init - that would delete your entire configuration!

The script creates different types of shares:

Read/write access for all users
Guest access enabled
Shares your user's home directory

Disk Shares

Automatically configured for external disks
Custom dfree scripts for accurate disk space reporting
Proper permissions (664/775)
Force user/group settings

Configuration

All shares include:

SMB2/SMB3 protocol support
Network restrictions (local networks only)
Optimized socket options
Performance tuning (sendfile, AIO)

Default allowed networks:

127.0.0.1 (localhost)
192.168.0.0/16 (private network)
10.0.0.0/8 (private network)
172.16.0.0/12 (private network)
100.64.0.0/10 (CGNAT/Tailscale)

Advanced Usage

Add [global] section to existing config

sudo ./spravuj_sdileni.sh add-global

Create all shares automatically

sudo ./spravuj_sdileni.sh create-all

This comprehensive command will:

Create your home directory share
Detect all disk partitions on the system
Automatically mount any unmounted disks to /mnt/<disk-label>
Add unmounted disks to /etc/fstab for persistence across reboots
Create Samba shares for all mounted disks

Perfect for initial setup or adding multiple disks at once!

Troubleshooting

CRITICAL: If sudo is broken after running user-access

Symptoms: sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

This happened if you ran an older version (before v1.3) that modified system directories.

Fix (choose one method):

Method 1 - If you're still root in a shell:

chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo

Method 2 - Switch to root user:

su -
chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo
exit

Method 3 - Recovery mode:

Reboot and select recovery/single-user mode in GRUB
Mount filesystem: mount -o remount,rw /
Fix sudo: chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo
Reboot normally

After fixing sudo, update to the latest version of FSA which has safety checks!

Check service status

sudo systemctl status smbd nmbd
# or on some distros:
sudo systemctl status smb nmb

View logs

sudo journalctl -u smbd -u nmbd -f

Test configuration

sudo testparm

Check which shares are visible

smbclient -L localhost -N

Security Notes

Always review the generated configuration
Shares are restricted to local networks by default
Root share requires authentication
Guest access is only enabled for home shares by default

License

Do whatever the fuck you want with it.

Author

Created with frustration and love for Samba configuration.

6.5 KiB Raw Permalink Blame History