[RFC] Discontinuing SWAT

Thu Apr 25 20:34:05 MDT 2013

On Thu, Apr 25, 2013 at 7:14 PM, C.J. Adams-Collier KF7BMP
<cjac at colliertech.org> wrote:
> On Fri, 2013-04-26 at 08:33 +1000, Andrew Bartlett wrote:
>> On Thu, 2013-04-25 at 23:48 +0200, Kai Blin wrote:
>> > Hi folks,
>> >
>> > I think it's time to put SWAT out of its misery. In the past few years,
>> > the only commits ever touching it were either API housekeeping or fixing
>> > remote root exploit security issues.
>> >
>> > The last time we had to do the latter, I accidentally broke password
>> > changes for users, and neither me nor any of the people reviewing the
>> > changes noticed. I take that as a sign that nobody is really interested
>> > in maintaining SWAT, and I think it is becoming a larger liability over
>> > time. Considering how large of an attack surface a web app is offering,
>> > we should not have one of them in our core release.
>> >
>> > There might be the need for a web-based samba configuration tool, but I
>> > don't think SWAT is fulfilling that need well enough.
>>
>> The main thing I've see folks really want from SWAT is the connection
>> between the smb.conf parameter and the help section.  We may well be
>> able to solve that simply with a testparm option that prints the manpage
>> section after each parameter.
>>
>> I'll also note that this is the second time removing it has been
>> proposed (I did so in Feb), and there were no violent objections last
>> time, just the above desire that SWAT's sections and manpage link made
>> the smb.conf more accessible.  Perhaps make 'SWAT GTK rewrite' a SoC
>> project and see if we get any takers?
>>
>> Andrew Bartlett
>>
>
> For what it's worth, my opinion as a user of samba for about 15 years is
> that SWAT has not been very helpful for me for many years.  I do
> remember depending on it for the first few months and years that I used
> samba to set up my smb.conf file, and I might not have been able to get
> a working environment without the web interface at that phase in my
> professional development.  As much as I like the idea of throwing out
> code that gets more CVEs than it does commits, it would be best to
> ensure that there is an interface for our less skilled users available
> during a deprecation phase that we can recommend loudly instead.
>
> C.J.
>

How about the obvious compromise?  What if SWAT were dropped and a
library (in a "web language") for parsing the smb.conf was to be
released with each release under the GPL?  If someone (third party)
wants to carry the torch for a web interface, let them.  Someone out
there wants this itch scratched and Samba wants someone to contribute
some code back.  Seems like a win-win to me; Samba can be released
without such a large attack surface, and developers can scratch an
itch and contribute code back.

There's already a parser written, how hard would it be to add bindings
for other languages (PHP, Python, Java)?

I'm sure if I dug around in my svn server I've got a parser or three
written in Java from college or so.

--
Peace and Blessings,
-Scott.