svn commit: samba r23966 - in branches/SAMBA_4_0: source/dsdb/samdb source/scripting/ejs webapps/install

abartlet at samba.org abartlet at samba.org
Thu Jul 19 07:48:27 GMT 2007 

Author: abartlet
Date: 2007-07-19 07:48:26 +0000 (Thu, 19 Jul 2007)
New Revision: 23966

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23966

Log:
It isn't great, but at least now we have some access control in SWAT

This patch prevents non-root and non-administrator users from running
the provision, upgrade and vampire pages.  *I think* the rest of SWAT
is LDB operations, or otherwise authenticated, so we should now be
secure.

I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c
   branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c
   branches/SAMBA_4_0/webapps/install/provision.esp
   branches/SAMBA_4_0/webapps/install/vampire.esp


Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c	2007-07-19 06:44:18 UTC (rev 23965)
+++ branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c	2007-07-19 07:48:26 UTC (rev 23966)
@@ -80,6 +80,11 @@
 	NTSTATUS status;
 
 	/* Shortcuts to prevent recursion and avoid lookups */
+	if (token->user_sid == NULL) {
+		token->privilege_mask = 0;
+		return NT_STATUS_OK;
+	}
+
 	if (security_token_is_system(token)) {
 		token->privilege_mask = ~0;
 		return NT_STATUS_OK;

Modified: branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c
===================================================================
--- branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c	2007-07-19 06:44:18 UTC (rev 23965)
+++ branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c	2007-07-19 07:48:26 UTC (rev 23966)
@@ -27,6 +27,7 @@
 #include "scripting/ejs/smbcalls.h"
 #include "lib/events/events.h"
 #include "lib/messaging/irpc.h"
+#include "libcli/security/security.h"
 
 static int ejs_doauth(MprVarHandle eid,
 		      TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username, 
@@ -39,6 +40,7 @@
 	struct auth_context *auth_context;
 	struct MprVar *session_info_obj;
 	NTSTATUS nt_status;
+	bool set;
 
 	struct smbcalls_context *c;
 	struct event_context *ev;
@@ -111,6 +113,32 @@
 		goto done;
 	}
 
+	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("USER"));
+		set = true;
+	}
+	
+	if (security_token_has_builtin_administrators(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR"));
+		set = true;
+	}
+
+	if (security_token_is_system(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("SYSTEM"));
+		set = true;
+	}
+
+	if (security_token_is_anonymous(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted"));
+		mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+		goto done;
+	}
+
+	if (!set) {
+		mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
+		mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+	}
+	
 	session_info_obj = mprInitObject(eid, "session_info", 0, NULL);
 
 	mprSetPtrChild(session_info_obj, "session_info", session_info);
@@ -121,6 +149,23 @@
 	mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
 	mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
 
+	if (security_token_is_system(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("SYSTEM"));
+	}
+
+	if (security_token_is_anonymous(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("ANONYMOUS"));
+	}
+
+	if (security_token_has_builtin_administrators(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR"));
+	}
+
+	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("USER"));
+	}
+
+
 done:
 	return 0;
 }

Modified: branches/SAMBA_4_0/webapps/install/provision.esp
===================================================================
--- branches/SAMBA_4_0/webapps/install/provision.esp	2007-07-19 06:44:18 UTC (rev 23965)
+++ branches/SAMBA_4_0/webapps/install/provision.esp	2007-07-19 07:48:26 UTC (rev 23966)
@@ -12,70 +12,77 @@
 var i;
 var lp = loadparm_init();
 
-if (lp.get("realm") == "") {
-	lp.set("realm", lp.get("workgroup") + ".example.com");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+	 || session.authinfo.user_class == "SYSTEM") {
 
-var subobj = provision_guess();
-/* Don't supply default password for web interface */
-subobj.ADMINPASS = "";
+	if (lp.get("realm") == "") {
+		lp.set("realm", lp.get("workgroup") + ".example.com");
+	}
 
-f.add("REALM", "DNS Domain Name");
-f.add("DOMAIN", "NetBIOS Domain Name");
-f.add("HOSTNAME", "Hostname");
-f.add("ADMINPASS", "Administrator Password", "password");
-f.add("CONFIRM", "Confirm Password", "password");
-f.add("DOMAINSID", "Domain SID");
-f.add("HOSTIP", "Host IP");
-f.add("DEFAULTSITE", "Default Site");
-f.submit[0] = "Provision";
-f.submit[1] = "Cancel";
+	var subobj = provision_guess();
+	/* Don't supply default password for web interface */
+	subobj.ADMINPASS = "";
 
-if (form['submit'] == "Cancel") {
-	redirect("/");
-}
+	f.add("REALM", "DNS Domain Name");
+	f.add("DOMAIN", "NetBIOS Domain Name");
+	f.add("HOSTNAME", "Hostname");
+	f.add("ADMINPASS", "Administrator Password", "password");
+	f.add("CONFIRM", "Confirm Password", "password");
+	f.add("DOMAINSID", "Domain SID");
+	f.add("HOSTIP", "Host IP");
+	f.add("DEFAULTSITE", "Default Site");
+	f.submit[0] = "Provision";
+	f.submit[1] = "Cancel";
 
-if (form['submit'] == "Provision") {
-	for (r in form) {
-		subobj[r] = form[r];
+	if (form['submit'] == "Cancel") {
+		redirect("/");
 	}
-}
 
-for (i=0;i<f.element.length;i++) {
-	f.element[i].value = subobj[f.element[i].name];
-}
+	if (form['submit'] == "Provision") {
+		for (r in form) {
+			subobj[r] = form[r];
+		}
+	}
 
-if (form['submit'] == "Provision") {
+	for (i=0;i<f.element.length;i++) {
+		f.element[i].value = subobj[f.element[i].name];
+	}
 
-        /* overcome an initially blank smb.conf */
-	lp.set("realm", subobj.REALM);
-	lp.set("workgroup", subobj.DOMAIN);
-	lp.reload();
-	var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+	if (form['submit'] == "Provision") {
+	
+        	/* overcome an initially blank smb.conf */
+		lp.set("realm", subobj.REALM);
+		lp.set("workgroup", subobj.DOMAIN);
+		lp.reload();
+		var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
 
-	if (!goodpass) {
-		write("<h3>Passwords don't match.  Please try again.</h3>");
-		f.display();
-	} else if (subobj.ADMINPASS == "") {
-		write("<h3>You must choose an administrator password.  Please try again.</h3>");
-		f.display();
-	} else if (!provision_validate(subobj, writefln)) {
-		f.display();
-	} else {
-		var paths = provision_default_paths(subobj);
-		if (!provision(subobj, writefln, false, paths, 
-			       session.authinfo.session_info, session.authinfo.credentials, false)) {
-			writefln("Provision failed!");
-		} else if (!provision_dns(subobj, writefln, paths,
-					  session.authinfo.session_info, session.authinfo.credentials)) {
-			writefln("DNS Provision failed!");
+		if (!goodpass) {
+			write("<h3>Passwords don't match.  Please try again.</h3>");
+			f.display();
+		} else if (subobj.ADMINPASS == "") {
+			write("<h3>You must choose an administrator password.  Please try again.</h3>");
+			f.display();
+		} else if (!provision_validate(subobj, writefln)) {
+			f.display();
 		} else {
-			writefln("Provision Complete!");
+			var paths = provision_default_paths(subobj);
+			if (!provision(subobj, writefln, false, paths, 
+				       session.authinfo.session_info, session.authinfo.credentials, false)) {
+				writefln("Provision failed!");
+			} else if (!provision_dns(subobj, writefln, paths,
+						  session.authinfo.session_info, session.authinfo.credentials)) {
+				writefln("DNS Provision failed!");
+			} else {
+				writefln("Provision Complete!");
+			}
 		}
+	} else {
+		f.display();
 	}
 } else {
-	f.display();
+	redirect("/");
 }
+
 %>
 
 

Modified: branches/SAMBA_4_0/webapps/install/vampire.esp
===================================================================
--- branches/SAMBA_4_0/webapps/install/vampire.esp	2007-07-19 06:44:18 UTC (rev 23965)
+++ branches/SAMBA_4_0/webapps/install/vampire.esp	2007-07-19 07:48:26 UTC (rev 23966)
@@ -14,6 +14,11 @@
 var i;
 var lp = loadparm_init();
 
+if (session.authinfo.user_class != "ADMINISTRATOR"
+	 && session.authinfo.user_class != "SYSTEM") {
+	redirect("/");
+}
+
 if (lp.get("realm") == "") {
 	lp.set("realm", lp.get("workgroup") + ".example.com");
 }

More information about the samba-cvs mailing list