Author: abartlet Date: 2007-07-19 07:48:26 +0000 (Thu, 19 Jul 2007) New Revision: 23966
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23966 Log: It isn't great, but at least now we have some access control in SWAT This patch prevents non-root and non-administrator users from running the provision, upgrade and vampire pages. *I think* the rest of SWAT is LDB operations, or otherwise authenticated, so we should now be secure. I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha. Andrew Bartlett Modified: branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c branches/SAMBA_4_0/webapps/install/provision.esp branches/SAMBA_4_0/webapps/install/vampire.esp Changeset: Modified: branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c =================================================================== --- branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c 2007-07-19 06:44:18 UTC (rev 23965) +++ branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c 2007-07-19 07:48:26 UTC (rev 23966) @@ -80,6 +80,11 @@ NTSTATUS status; /* Shortcuts to prevent recursion and avoid lookups */ + if (token->user_sid == NULL) { + token->privilege_mask = 0; + return NT_STATUS_OK; + } + if (security_token_is_system(token)) { token->privilege_mask = ~0; return NT_STATUS_OK; Modified: branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c =================================================================== --- branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c 2007-07-19 06:44:18 UTC (rev 23965) +++ branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c 2007-07-19 07:48:26 UTC (rev 23966) @@ -27,6 +27,7 @@ #include "scripting/ejs/smbcalls.h" #include "lib/events/events.h" #include "lib/messaging/irpc.h" +#include "libcli/security/security.h" static int ejs_doauth(MprVarHandle eid, TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username, @@ -39,6 +40,7 @@ struct auth_context *auth_context; struct MprVar *session_info_obj; NTSTATUS nt_status; + bool set; struct smbcalls_context *c; struct event_context *ev; @@ -111,6 +113,32 @@ goto done; } + if (security_token_has_nt_authenticated_users(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("USER")); + set = true; + } + + if (security_token_has_builtin_administrators(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR")); + set = true; + } + + if (security_token_is_system(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("SYSTEM")); + set = true; + } + + if (security_token_is_anonymous(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted")); + mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); + goto done; + } + + if (!set) { + mprSetPropertyValue(auth, "report", mprString("Session Info generation failed")); + mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); + } + session_info_obj = mprInitObject(eid, "session_info", 0, NULL); mprSetPtrChild(session_info_obj, "session_info", session_info); @@ -121,6 +149,23 @@ mprSetPropertyValue(auth, "username", mprString(server_info->account_name)); mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name)); + if (security_token_is_system(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("SYSTEM")); + } + + if (security_token_is_anonymous(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("ANONYMOUS")); + } + + if (security_token_has_builtin_administrators(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR")); + } + + if (security_token_has_nt_authenticated_users(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("USER")); + } + + done: return 0; } Modified: branches/SAMBA_4_0/webapps/install/provision.esp =================================================================== --- branches/SAMBA_4_0/webapps/install/provision.esp 2007-07-19 06:44:18 UTC (rev 23965) +++ branches/SAMBA_4_0/webapps/install/provision.esp 2007-07-19 07:48:26 UTC (rev 23966) @@ -12,70 +12,77 @@ var i; var lp = loadparm_init(); -if (lp.get("realm") == "") { - lp.set("realm", lp.get("workgroup") + ".example.com"); -} +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { -var subobj = provision_guess(); -/* Don't supply default password for web interface */ -subobj.ADMINPASS = ""; + if (lp.get("realm") == "") { + lp.set("realm", lp.get("workgroup") + ".example.com"); + } -f.add("REALM", "DNS Domain Name"); -f.add("DOMAIN", "NetBIOS Domain Name"); -f.add("HOSTNAME", "Hostname"); -f.add("ADMINPASS", "Administrator Password", "password"); -f.add("CONFIRM", "Confirm Password", "password"); -f.add("DOMAINSID", "Domain SID"); -f.add("HOSTIP", "Host IP"); -f.add("DEFAULTSITE", "Default Site"); -f.submit[0] = "Provision"; -f.submit[1] = "Cancel"; + var subobj = provision_guess(); + /* Don't supply default password for web interface */ + subobj.ADMINPASS = ""; -if (form['submit'] == "Cancel") { - redirect("/"); -} + f.add("REALM", "DNS Domain Name"); + f.add("DOMAIN", "NetBIOS Domain Name"); + f.add("HOSTNAME", "Hostname"); + f.add("ADMINPASS", "Administrator Password", "password"); + f.add("CONFIRM", "Confirm Password", "password"); + f.add("DOMAINSID", "Domain SID"); + f.add("HOSTIP", "Host IP"); + f.add("DEFAULTSITE", "Default Site"); + f.submit[0] = "Provision"; + f.submit[1] = "Cancel"; -if (form['submit'] == "Provision") { - for (r in form) { - subobj[r] = form[r]; + if (form['submit'] == "Cancel") { + redirect("/"); } -} -for (i=0;i<f.element.length;i++) { - f.element[i].value = subobj[f.element[i].name]; -} + if (form['submit'] == "Provision") { + for (r in form) { + subobj[r] = form[r]; + } + } -if (form['submit'] == "Provision") { + for (i=0;i<f.element.length;i++) { + f.element[i].value = subobj[f.element[i].name]; + } - /* overcome an initially blank smb.conf */ - lp.set("realm", subobj.REALM); - lp.set("workgroup", subobj.DOMAIN); - lp.reload(); - var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); + if (form['submit'] == "Provision") { + + /* overcome an initially blank smb.conf */ + lp.set("realm", subobj.REALM); + lp.set("workgroup", subobj.DOMAIN); + lp.reload(); + var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); - if (!goodpass) { - write("<h3>Passwords don't match. Please try again.</h3>"); - f.display(); - } else if (subobj.ADMINPASS == "") { - write("<h3>You must choose an administrator password. Please try again.</h3>"); - f.display(); - } else if (!provision_validate(subobj, writefln)) { - f.display(); - } else { - var paths = provision_default_paths(subobj); - if (!provision(subobj, writefln, false, paths, - session.authinfo.session_info, session.authinfo.credentials, false)) { - writefln("Provision failed!"); - } else if (!provision_dns(subobj, writefln, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("DNS Provision failed!"); + if (!goodpass) { + write("<h3>Passwords don't match. Please try again.</h3>"); + f.display(); + } else if (subobj.ADMINPASS == "") { + write("<h3>You must choose an administrator password. Please try again.</h3>"); + f.display(); + } else if (!provision_validate(subobj, writefln)) { + f.display(); } else { - writefln("Provision Complete!"); + var paths = provision_default_paths(subobj); + if (!provision(subobj, writefln, false, paths, + session.authinfo.session_info, session.authinfo.credentials, false)) { + writefln("Provision failed!"); + } else if (!provision_dns(subobj, writefln, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("DNS Provision failed!"); + } else { + writefln("Provision Complete!"); + } } + } else { + f.display(); } } else { - f.display(); + redirect("/"); } + %> Modified: branches/SAMBA_4_0/webapps/install/vampire.esp =================================================================== --- branches/SAMBA_4_0/webapps/install/vampire.esp 2007-07-19 06:44:18 UTC (rev 23965) +++ branches/SAMBA_4_0/webapps/install/vampire.esp 2007-07-19 07:48:26 UTC (rev 23966) @@ -14,6 +14,11 @@ var i; var lp = loadparm_init(); +if (session.authinfo.user_class != "ADMINISTRATOR" + && session.authinfo.user_class != "SYSTEM") { + redirect("/"); +} + if (lp.get("realm") == "") { lp.set("realm", lp.get("workgroup") + ".example.com"); }
