Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Samba: Update Samba add-on to allow selectively enabling folders #3701

Open
wants to merge 44 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 33 commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
d2fc1ef
Updating to add option to enable specific shares for exporting, and t…
as-kholin Jul 28, 2024
ae11735
Updating translations for descriptive titles for the different folders
as-kholin Jul 29, 2024
a3105fc
Update DOCS.md to explain settings. Update init-smbd to block startu…
as-kholin Jul 29, 2024
6f4c772
remove unintentional extra line
as-kholin Jul 29, 2024
09ef073
Updating grammer per coderabbitai
as-kholin Jul 29, 2024
537522e
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Jul 29, 2024
8a0d55d
Incrementing version number
as-kholin Jul 29, 2024
7d313cb
Added Changelog update, and changed the version update in config to m…
as-kholin Jul 29, 2024
8d6ccb5
Updating to account for coderabbitai feedback on CHANGELOG
as-kholin Jul 29, 2024
40ccb71
Rebase to home-assistant/addons PR #3704 - Samba: correct benign idma…
as-kholin Jul 30, 2024
f1417d3
Letsencrypt: Add support for noris network DNS provider (#3697)
nana-ska Jul 30, 2024
372c2a7
Rebasing CHANGELOG updates
as-kholin Jul 29, 2024
e3e3dd7
Merging in changes from upstream
as-kholin Jul 31, 2024
8e9b5bd
Correct YAMLLing errors in user-facing descriptions due to long lines
as-kholin Jul 31, 2024
d020619
Correct typo on user descriptions in translations
as-kholin Jul 31, 2024
d62e9db
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 5, 2024
dae9c99
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 6, 2024
26c70a7
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 6, 2024
acc72b5
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 14, 2024
58b754e
Per frenck's feedback:
as-kholin Aug 14, 2024
1093201
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 16, 2024
0f8f768
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 26, 2024
86699ce
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Aug 27, 2024
a8b41c3
Correct missed adjustment when config variable names were changed
as-kholin Aug 30, 2024
ed18112
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 2, 2024
5d6903b
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 5, 2024
0ed4082
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 11, 2024
f8322c4
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 12, 2024
15a5626
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 13, 2024
da6295e
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 23, 2024
9bc5fda
Correct unintended Translation adjustment
as-kholin Sep 24, 2024
7b4c04d
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 27, 2024
89bd885
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Sep 28, 2024
62492fb
Merge branch 'home-assistant:master' into smb_selective_enable
as-kholin Oct 4, 2024
6f8282f
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Oct 10, 2024
9f62db3
Revamped selective enable
as-kholin Oct 10, 2024
25b4758
Updated translation to 80 character line limit
as-kholin Oct 10, 2024
e830809
Updated documentation based on CodeRabbit Feedback
as-kholin Oct 10, 2024
11acf7b
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Oct 21, 2024
47495b8
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Oct 25, 2024
9fb8782
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Nov 3, 2024
a940a04
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Nov 15, 2024
0a1bc6d
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Dec 10, 2024
f3d3e59
Merge remote-tracking branch 'upstream/master' into smb_selective_enable
as-kholin Dec 16, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions samba/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# Changelog
## 13.0.0

This change enhances security and user control, but may require updating your configuration
to access shares that contain potentially sensitive information.

- Default shares reduced to 'media' and 'share'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logical reasoning behind this is unclear to me. The biggest use case for this add-on is accessing backups and the Home Assistant configuration.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to add that the current defaults already limit shares to local networks, and require authentication. So reducing the default shares would limit use cases for minimal security benefits (only if home network and samba authentication are both compromised).

Copy link
Member

@frenck frenck Aug 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fail to see that logic in this case, as it assumes those shares contain no sensitive information, which is very unlikely.

Additionally, the main use case for this add-on is accessing one's Home Assistant configuration; or transferring backups (both directions). The add-on should be set up for that use case out of the box.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with everything you are saying on both the defaults, as well as the use cases. However, the counterpoints I would make are:

  • exposing a share by default that allows either 'nuking' HA (by removing or encrypting all containing files - like config.yaml) or capturing secrets feels like it should be something the user should choose
  • While we are protected by default to local network, and username/password authentication, that assumes that the attack on it will be direct from the internet.
  • Tautological - for a user to use Samba, they have to connect to it using SMB, and authenticate to it.
  • In a world of viruses and ransomware, having the share enabled (used or not), and having that connection from the computer is enough for anything that attacks the users PC to 'make the jump' to also impacting HA. If the users computer is infected, and they have connected to SMB on HA, the only things safe are the things not exposed.

When I can access files such as

  • '.jwt_secret'
  • secrets.yaml
  • the private key for the certificate for HA Cloud
  • the JWT for the ACME account for it
    All falling under what is exposed using default filters in just the config folder, and know at least most of them are in the backups as well - then allowing access to them as the default case feels wider than it should be .

I feel strongly about this, but do not view most of it as a 'hill to die on'. If you disagree that the protection provided by only exposing things that are innocuous by default is worth the additional hassle of users having to turn on the specific shares they want, I will update, as the option is a step better than today, even if the defaults expose more than is ideal.

With that said, I would view the SSL folder as being a very high bar for saying 'we should be exposing this by default'. And, if we are exposing more of the other shares by default, I will want to update to add a few more default veto_files (covering at least the highest profile of the ones listed above).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I'm a user interested on seeing this happen.

From this thread, I understand the only drawback was the selection of the 'default enabled' options? In which case I guess the PR dev can easily set the /config and /backup shares as default to support the "accessing one's Home Assistant configuration; or transferring backups" default use case.

Would that unlock this PR to be merged?

Copy link
Member

@frenck frenck Sep 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been discussed internally today; the conclusion is that we won't be accepting it in its current state.

We are happy to add the options to enable/disable access to certain shares. However, we will not be accepting new defaults on which of those shares are enabled or disabled at this point.

Some reasoning:

  • Disabling certain shares, the way it is done in this PR, will be a breaking change for existing users (as they suddenly will lose access to shares).
  • The main goal of why this add-on was created is to be able to access your configuration. This PR defeats that purpose, meaning every user starting with this add-on will run into oddities, not understanding why they can't see that. This creates additional frustration on the initial setup (especially for newer users).

Ideally, we agree, we would love to offer and force a choice to the user (similar like we do with the password setting), however, we don't have the UX abilities to make that happen for this specific case at the moment.

For the above reasoning, we welcome the new feature to disable shares, but we are not willing to accept a new defaults; all shares must be enabled (as is the case now).

../Frenck

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. I am going to look at refactoring some of this based on this feedback as well. I will resubmit the PR once I have had a chance to do so and update the defaults (in the next 1-2 weeks).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TL;DR this is ready for review

In a number of ways, my refactor turned into a rewrite, but I believe that it has accomplished the requested changes, while also accomplishing the minimum goals:

  • No breaking change is introduced
  • No change of functionality without end user reconfiguration for a current install
  • Users can opt to turn off specific shares
  • No config introduced requires YAML config by the end user

In addition, the update had two further goals:

  • config is organized in such a way that, several months from now, the config could be updated in another PR to change the default without affecting existing installs, and make that a viable 'change before first run' (like the password, as mentioned by @frenck would be the 'ideal case')
  • config required is condensed as much as possible and is as high in the configuration screen as reasonable (so if that happens, the config is on the first screen and near the password field)

Looking for any feedback for the path to getting this PR merged from here.

- Add ability to selectively enable exposed shares.

## 12.3.2

- Suppress benign idmap logged error
Expand Down
53 changes: 53 additions & 0 deletions samba/DOCS.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,59 @@ when you absolutely need it and understand the possible consequences.

Defaults to `false`.

### Option: `enable_addons`

Setting this option to `true` will allow Samba to expose the 'addons' folder,
which is used for installing custom local plugins.

Defaults to `false`.

### Option: `enable_addon_configs`

Setting this option to `true` will allow Samba to expose the 'addon_configs' folder,
which is used for setting configuration of plugins.

defaults to `false`.

### Option: `enable_backups`

Setting this option to `true` will allow Samba to expose the 'backup' folder,
which is where HomeAssistant places its backups. These backups can contain any information
stored in your configurations for Homeassistant or any add-on, including secrets.

Defaults to `false`.

### Option: `enable_configs`

Setting this option to `true` will allow Samba to expose the 'config' folder,
which is where HomeAssistant stores it core configuration files and databases. This
includes secrets.

Defaults to `false`.

### Option: `enable_media`

This option will allow Samba to expose the 'media' folder, which is where HomeAssistant
expects you to store any local media files. This is generally safe to expose.

Defaults to `true`. If you want to not allow this access, change to `false`.

### Option: `enable_share`

This option will allow Samba to expose the 'share' folder, which is where HomeAssistant
stores information it expects to be shared between different plugins and HomeAssistant.

Defaults to `true`. If you want to not allow this access, change to `false`.

### Option: `enable_ssl`

Setting this option to `true` will allow Samba to expose the 'ssl' folder,
which is where HomeAssistant stores its public and private SSL keys. These are considered
sensitive because anyone who gets ahold of both parts can impersonante your HomeAssistant server,
including using that to collect credentials.

Defaults to `false`.

## Support

Got questions?
Expand Down
16 changes: 15 additions & 1 deletion samba/config.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
version: 12.3.2
version: 13.0.0
slug: samba
name: Samba share
description: Expose Home Assistant folders with SMB/CIFS
Expand Down Expand Up @@ -41,6 +41,13 @@ options:
- 169.254.0.0/16
- fe80::/10
- fc00::/7
allow_addons: false
allow_addon_configs: false
allow_backup: false
allow_config: false
allow_media: true
allow_share: true
allow_ssl: false
schema:
username: str
password: password
Expand All @@ -50,4 +57,11 @@ schema:
- str
allow_hosts:
- str
allow_addons: bool
allow_addon_configs: bool
allow_backup: bool
allow_config: bool
allow_media: bool
allow_share: bool
allow_ssl: bool
startup: services
6 changes: 6 additions & 0 deletions samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password
bashio::exit.nok "Setting a username and password is required!"
fi

if bashio::config.false 'enable_addons' && bashio::config.false 'enable_addon_configs' && bashio::config.false 'enable_backup' && \
bashio::config.false 'enable_config' && bashio::config.false 'enable_media' && bashio::config.false 'enable_share' && \
bashio::config.false 'enable_ssl'; then
bashio::exit.nok "No shares enabled for Samba to present!"
fi

# Read hostname from API or setting default "hassio"
HOSTNAME=$(bashio::info.hostname)
if bashio::var.is_empty "${HOSTNAME}"; then
Expand Down
14 changes: 14 additions & 0 deletions samba/rootfs/usr/share/tempio/smb.gtpl
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
dos charset = CP850
unix charset = UTF-8

{{ if .allow_config }}
[config]
browseable = yes
writeable = yes
Expand All @@ -36,7 +37,9 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}

{{ if .allow_addons }}
[addons]
browseable = yes
writeable = yes
Expand All @@ -47,7 +50,9 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}

{{ if .allow_addon_configs }}
[addon_configs]
browseable = yes
writeable = yes
Expand All @@ -58,7 +63,9 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}

{{ if .allow_ssl }}
[ssl]
browseable = yes
writeable = yes
Expand All @@ -69,7 +76,9 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}

{{ if .allow_share }}
[share]
browseable = yes
writeable = yes
Expand All @@ -80,7 +89,9 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}

{{ if .allow_backup }}
[backup]
browseable = yes
writeable = yes
Expand All @@ -91,7 +102,9 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}

{{ if .allow_media }}
[media]
browseable = yes
writeable = yes
Expand All @@ -102,3 +115,4 @@
force group = root
veto files = /{{ .veto_files | join "/" }}/
delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
{{ end }}
34 changes: 34 additions & 0 deletions samba/translations/en.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,37 @@ configuration:
allow_hosts:
name: Allowed Hosts
description: List of hosts/networks allowed to access the shared folders.
allow_addons:
name: Allow Add-Ons folder
description: >-
Allow SMB access to the Add-ons folder.
This is disabled by default.
allow_addon_configs:
name: Allow Add-On Configs folder
description: >-
Allow SMB access to the Add-on Configurations folder.
This is disabled by default.
allow_backup:
name: Allow Backups folder
description: >-
Allow SMB access to the folder where HomeAssistant keeps its backups.
This is disabled by default.
allow_config:
name: Allow Configs folder
description: >-
Allow SMB access to the HomeAssistant Core configuration folder.
This is disabled by default.
allow_media:
name: Allow Media folder
description: >-
Allow SMB access to the Media folder
allow_share:
name: Allow Share folders
description: >-
Allow SMB access to the Share folder (which is shared with all
HomeAssistant Add-ons).
allow_ssl:
name: Allow SSL folder
description: >-
Allow SMB access to the ssl folder, where HomeAssistant keeps SSL Keys.
This is disabled by default.