A few swat comments. was:Re: [Samba] Does the SWAT tool come with the Red Hat 8.0 distribution?

John H Terpstra jht at samba.org
Tue Mar 11 08:56:06 GMT 2003 

On Tue, 11 Mar 2003, mark wrote:

> On Tue, 11 Mar 2003 07:06:41 +0000 (GMT)
> John H Terpstra <jht at samba.org> wrote:
>
>
> > I like this suggestion. Could you specify your dream wishes more
> > clearly please.
> >
> > ie: I run SWAT and write the back-up file. Now I run it again and
> > overwrite the backup file again? Where is the gain then? Do I only
> > back it up if it does not exist? Then what about subsequent changes I
> > make? Should it back it up to a file with time and date extensions? If
> > so, homw many backups should I keep?
> >
> > Your suggestion perplexees me. I want some consensus on this before I
> > change anything here.
>
> Consensus?  Dude!  You are a powerful overlord with cvs access!  You
> don't need no stinking consensus!

The biggest challenge of all is to have power and then use it only
sparingly!

> You are right about the difficulty of figuring out how many times to
> back up a smb.conf file.  In the few minutes I've though about it, I
> came up with the idea of having swat itself write a few extra bytes at
> the top of the file along the lines of "#Swat generated".  or
> #0xaed9883344c2a2.  Something to indicate that this file should not be
> backed up.  Really what I would like is if I have a smb.conf file that
> I've hand edited I would like for smb.conf to back that file up.  So if
> a smb.conf file didn't have the above mentioned few bytes it would be
> backed up.

If you provide patches I'll do my best to integrate them. :) Other than
that, I'll take your comments on advice and will do something next time I
make a change.

Anyone else have any suggestions or wishes here?

> Maybe just a warning along the lines of  "about to overwrite your
> smb.conf, would you like to save your original?"

Ok. I'll implement that one.

> Better yet, dump the entire contents of the smb.conf file into
> /var/log/messages every time!  Saved for eternity without the need for
> nasty directories filled with smb.conf.1, smb.conf.tar.gz,
> smb.conf.original, smb.conf.originalthatreallyworks....Or have swat mail
> smb.conf to samba at lists.samba.org so it is archived on the web for when
> someone needs it.  Wait.   Did I just digress into the realms of
> silliness? I've got to get more sleep.

Hmmm. Let we wake up on that first!

> > But by default, it should be blocked by TCP Wrappers from anything
> > except 127.0.0.1. Where is the problem?

Note: This is the default case for Linux systems that use xinetd.

> Does swat itself edit the hosts.allow file when it is installed?  There

No. Xinetd handles that in it's config files.

> are a couple of issues here, my personal failings as a "sysadmin" (in
> quotes because I only do this stuff at home) and a philosophy of
> security.
>
> On my failings, I try not to use inetd on machines I have control over.
>  Which means I didn't really know about hosts.allow.  Like I should
> have.  But I did spend this morning editing my inetd.conf,
> hosts.allow, reading man pages and view the contents of
> /var/log/messages in order to understand what was going on.  Live and
> learn.  So I just plain didn't know that access could be denied that
> way.
>
> On the philosophy of security, I think that using all interfaces makes
> the machine, well, promiscuous.  It just seems like a daemon should do
> as little as needed and should show itself as little as possible until
> instructed otherwise.  As an example, the *mbd daemons have the
> interfaces options in smb.conf.  Why have that option when they can be
> run from inetd and thus covered by tcpwrappers?  I assume because we
> don't necessarily want those services running on certain interfaces.
> Where they might be exploited in the future by some heretofore unkown
> uber-exploit. I just think that swat is in a similar situation.

More input here would be welcome. I do not want to make changes that will
satisfy a minority and aggrevate most users. Personally, I believe that
SWAT should only ever be run locally. If you need to access it remotely,
then use an SSL wrapper.

> ps  How do I make umlauts on an english keyboard.  uber-exploit would
> look so much cooler with the umlauts.

And Santa-Klaus looks so much cooler in a swim-suit! :)

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list