samba: make sure shares are not accesible from the internet

The reason for this patch is explained in issue #789 .
See also: !2250

Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Don't enable app when upgrading]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>

plinth/modules/samba/__init__.py

@@ -41,7 +41,7 @@ class SambaApp(app_module.App):
 
     app_id = 'samba'
 
-    _version = 2
+    _version = 3
 
     def __init__(self):
         """Create components for the app."""
@@ -99,7 +99,8 @@ class SambaApp(app_module.App):
         """Install and configure the app."""
         super().setup(old_version)
         privileged.setup()
-        self.enable()
+        if not old_version:
+            self.enable()
 
 
 class SambaBackupRestore(BackupRestore):

plinth/modules/samba/privileged.py

@@ -39,6 +39,14 @@ CONF = r'''
    deadtime = 5
    # enable registry based shares
    registry shares = yes
+   # Make sure Samba isn't available over the Internet.
+   # https://en.wikipedia.org/wiki/localhost
+   # https://en.wikipedia.org/wiki/Private_network
+   # https://en.wikipedia.org/wiki/Link-local_address
+   # https://en.wikipedia.org/wiki/Unique_local_address
+   access control = yes
+   hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 [::1] [fc00::]/7 [fe80::]
+   hosts deny = all
 '''  # noqa: E501