[RFC] Discontinuing SWAT

Andrew Bartlett abartlet at samba.org
Fri Apr 26 00:38:28 MDT 2013


On Fri, 2013-04-26 at 08:04 +0200, Jelmer Vernooij wrote:
> On Thu, Apr 25, 2013 at 11:48:51PM +0200, Kai Blin wrote:
> > I think it's time to put SWAT out of its misery. In the past few years,
> > the only commits ever touching it were either API housekeeping or fixing
> > remote root exploit security issues.
> > 
> > The last time we had to do the latter, I accidentally broke password
> > changes for users, and neither me nor any of the people reviewing the
> > changes noticed. I take that as a sign that nobody is really interested
> > in maintaining SWAT, and I think it is becoming a larger liability over
> > time. Considering how large of an attack surface a web app is offering,
> > we should not have one of them in our core release.
> > 
> > There might be the need for a web-based samba configuration tool, but I
> > don't think SWAT is fulfilling that need well enough.
> +1
> 
> Despite the concern that's been expressed about the status of SWAT a couple of
> times over the last couple of years, nothing has really happened. It's 
> better to remove it than to let it simmer in its current unusable state.
> 
> If we want to have a web interface, then I suspect it would be easier to build
> something new from the grounds up than to update the current SWAT anyway.

Exactly.  I did the same as Kai, and wanted to be all consultative about
this, but thinking over this again, we need to just notify:  There is no
active maintainer of the the SWAT code, and regular security issues as
folks put the blowtorch of modern web security to 15 or more year old
web code.  Therefore, we have no option but to drop it.

Dropping it will also simplify the authentication code, which tried to
serve the dual interests of both SWAT and SMB authentication.

The reason this needs to be 'notification' not 'consultation' is that I
don't see that even if there was a great cry that 'we need SWAT', that
we have any different, practical options anyway.  We have tried hobbling
on, and it has just caused more trouble. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list