SWAT and authentication

[Shawn Barnhart]

What's the deal with SWAT authentication?  I have a Freebsd 4-Stable box
running SWAT from the Samba 2.0.7 port and I can log into SWAT as a
regular user (ie, not root but has a smbpasswd entry) and make any
changes I want to the smb.conf file --  which is 0644 root.wheel. I'm
presuming this is because my inetd.conf entry for SWAT has it running as
root as per the example.

Is this how SWAT's _really_ supposed to work?  Its a useful tool, but
I'm terrified of any user with an account being able to mangle the conf
file at will, create shares, etc.  A [swat] section in the smb.cfg file
would be excellent, or even a seperate swat.users file.

Is there any way to control which users can and can't make changes to
the server other than packet filtering the SWAT port?  This is kind of
awkward and inconvenient.

If I'm missing something here, please let me know.

--
swb at grasslake.net
Hard work often pays off after time, but laziness always pays off now.