diff --git a/nemo-extensions.changes b/nemo-extensions.changes
index c79501b..644a063 100644
--- a/nemo-extensions.changes
+++ b/nemo-extensions.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug  6 14:09:43 UTC 2018 - sor.alexei@meowr.ru
+
+- Add nemo-share-3.8.0-prevent-privilege-escalation.patch: Prevent
+  unprivileged users from adding other users to sambashare
+  (commit a831e7b, bsc#1084703).
+
 -------------------------------------------------------------------
 Thu May  8 20:40:20 UTC 2018 - sor.alexei@meowr.ru
 
diff --git a/nemo-extensions.spec b/nemo-extensions.spec
index 3ee3b0a..ba0dddd 100644
--- a/nemo-extensions.spec
+++ b/nemo-extensions.spec
@@ -36,6 +36,8 @@ Patch1:         nemo-dropbox_no-dropbox-bin.patch
 Patch2:         nemo-seahorse_gpg-2.2.patch
 # PATCH-FIX-OPENSUSE nemo-gtkhash_openssl-1.1.patch sor.alexei@meowr.ru -- Add basic OpenSSL 1.1+ compatibility in nemo-gtkhash.
 Patch3:         nemo-gtkhash_openssl-1.1.patch
+# PATCH-FIX-UPSTREAM nemo-share-3.8.0-prevent-privilege-escalation.patch bsc#1084703 -- Prevent unprivileged users from adding other users to sambashare (commit a831e7b).
+Patch4:         nemo-share-3.8.0-prevent-privilege-escalation.patch
 BuildRequires:  gettext-runtime
 BuildRequires:  gnome-common
 BuildRequires:  intltool
@@ -363,6 +365,7 @@ directory in Nemo.
 %patch1
 %patch2
 %patch3
+%patch4
 # Remove spurious executable permission.
 chmod a-x nemo-audio-tab/COPYING.GPL3 nemo-emblems/COPYING.GPL3
 
diff --git a/nemo-share-3.8.0-prevent-privilege-escalation.patch b/nemo-share-3.8.0-prevent-privilege-escalation.patch
new file mode 100644
index 0000000..956753c
--- /dev/null
+++ b/nemo-share-3.8.0-prevent-privilege-escalation.patch
@@ -0,0 +1,28 @@
+--- nemo-share.orig/src/install-samba
++++ nemo-share/src/install-samba
+@@ -33,12 +33,20 @@ class Main:
+ if __name__ == "__main__":
+     ml = GLib.MainLoop.new(None, True)
+ 
+-    if len(sys.argv) == 2:
+-        user = sys.argv[1]
+-    else:
+-        uid = int(os.getenv("PKEXEC_UID"))
++    # prefer using the uid provided by pkexec to the command line argument. if
++    # a user authenticated via pkexec then he should only be able to add
++    # himself to the group.
++    uid = os.getenv("PKEXEC_UID", None)
++
++    if uid != None:
++        uid = int(uid)
+         passwd = pwd.getpwuid(uid)
+         user = passwd[0]
++    elif len(sys.argv) == 2:
++        user = sys.argv[1]
++    else:
++        print("No target uid in environment or on command line found.")
++        exit(-1)
+ 
+     main = Main(user)
+     ml.run()
+