[Samba] PROPOSAL: Remove SWAT in Samba 4.1
Dale Schroeder
dale at BriannasSaladDressing.com
Tue Feb 19 12:37:11 MST 2013
On 02/17/2013 6:02 PM, Andrew Bartlett wrote:
> As most of you would have noticed, we have now had 3 CVE-nominated
> security issues for SWAT in the past couple of years.
>
> At the same time, while I know many of our users use SWAT, we just don't
> have anybody to maintain it inside the Samba Team. Kai has made a
> valiant effort to at least apply the XSS and CSRF guidelines when folks
> make security reports, but by his own admission he isn't a web developer
> - none of us are!
>
> There are many other parts of Samba that have not been substantially
> maintained in years, but few have the level of security exposure that
> SWAT does (most are bits of library and utility code that we apply
> elsewhere, but which just quietly does it's own job).
>
> The issue isn't that we can't write secure code, but that writing secure
> Web code where we can't trust the authenticated actions of our user's
> browser is a very different modal to writing secure system code.
> Frankly it just isn't our area.
>
> Therefore, it was suggested on a private list that we just drop SWAT. I
> want to start a public discussion on that point, prompted by
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us
> why we didn't apply the specific CSRF hardening we applied in 4.0.2 to
> SWAT in the first place.
>
> Thanks,
>
> Andrew Bartlett
I have yet to make the jump to Samba4, so I have not seen the version of
SWAT designed for it.
For me, the primary benefit of SWAT in Samba3 was the ability to use the
help link for any parameter to see what that parameter did, what the
default was, and what its proper syntax was. For reference, I ran "man
smb.conf". Viewing full screen, I pressed the "Page Down" key 34 times
and was still in the 1st third of the alphabetical listing of
parameters. It's no small wonder that I never used "man smb.conf" to
configure Samba. SWAT was my friend.
So, if Samba4 has anywhere near the number of parameters as Samba3, I
would be greatly disappointed to see SWAT go away entirely. An html
version of the samba-doc package that contained all parameters with
links to their definitions/descriptions would be a welcome and suitable
replacement.
Thanks,
Dale
More information about the samba
mailing list