SWAT: please help

[Andrew Bartlett]

GL Fournerat wrote:
> 
> To: Thomas Cameron
>         Russ Brooks
>         Andrew Bartlett
> 
> Thanks a million guys.  I've got several options to look into now... and that's
> far better than where I've been lately.
> 
> Re: my /etc/xinetd/swat file....
> 
> in the
>         user     = smbuser
> line, I should have added that after I created the 'smb' group,  I then created
> the user account 'smbuser'... and made root  (and smbuser) a member of the smb
> group (along with a select few others).  So, by 'smbuser' being a member of the
> 'smb' group, along with root, I was hoping that root access would be deferred to
> smbuser (at least for the 'smb' group)... but it probably doesn't work that way.
> This was all done in hopes of keeping root out of the SWAT equation... and is
> probably the root cause of all my problems. LOL
> 
> Another issue to dig into is that I have the smbuser user account disabled (with
> regard to logins and with no password assigned to the user) so I'll tinker with
> this as well.
> 
> Is it safe to assume that "user     = " is looking for a user account.. and not a
> group account?  I'm uncertain about this since "root" can be either.  On the same
> note, can a user or group with root access be inserted here?

The user you wan't the deamon to run as is listed here, ie echo and
finger both run as nobody, but ftp must run as root (hence half the
problems with FTP, but thats another story).

> 
> in the
>         only_from = 127.0.0.1
> line, I have tried 'localhost' there as well.. with the same results
> (Authentication failed. Retry?).  I have not tried removing the line altogether
> (yet).

leave it in.  You wouln't even get the authentication message if you
didn't pass this 'test'.

> 
> Re: /etc/pam.d/samba
> 
> It's there Tom.. exactly as you copied from your system.
> 
> I thought PAM was going to be at least a part of the problem because I looked
> into /var/log/ and found..  (I see now PAM was only doing what it's suppose to..
> and this is pam-0.72-37)
> 
> Mar 5 08:19:52 arendia PAM_unix[669]: (login) session opened for user root by
> LOGIN(uid=0)
> Mar 5 08:20:13 arendia PAM_unix[786]: authentication failure; (uid=505) -> root
> for samba service
> 
> {505 is the uid for the smbuser user account}
> 
> Re: (I know, I know...  bad sysadmin!)
> 
> To date, the only way that seems to work is by using root.. bad sysadmin or not.

As I often (at least in the last few days) point out, the user who can
edit smb.conf is only a root preexec away from being root.  Therefore
only root can edit smb.conf.  Therefore SWAT must run as root. 
Therefore xinetd (the program that reads /etc/xinetd.d/swat and starts
SWAT when accessed) must be told to start SWAT as root.  SWAT doesn't
read this file, and its behavior is only impacted by the way it is
started, and what permissions its started with.

So that swat doesn't allow Random Joe Hacker access to modify smb.conf
it asks for a password, and to check that password it must be root. 
Apon verification, it changes its userid to that user, and if it can
still modify smb.conf allows them in.  (If they can't they get the
ability to view the config, and to change their password - but nothing
else).   

So the bottom line is, while doing things as root could be considered a
bad idea, its the only option is this case, and therefore not 'bad
sysadmin'.  Note that Samba as a whole must run as root, for exactly
this reason.

The one thing that is 'bad sysadmin' is what hosts can access swat, as
running a password cracker agaist it would be trivial, and there is a
small detail whereby it can make it easier to guess usernames.  Note
that these issues are also present in the SMB protocol, so just don't
run SWAT where you wouldn't allow SMB access.  Running 'only form =
localhost' is a GOOD IDEA.

Hope this clarifies things,
Andrew Bartlett

> 
> Thanks again guys!!!
> 
> Gary
> 

-- 
Andrew Bartlett
abartlet at pcug.org.au