r23966: It isn't great, but at least now we have some access control in SWAT

This patch prevents non-root and non-administrator users from running the provision, upgrade and vampire pages. *I think* the rest of SWAT is LDB operations, or otherwise authenticated, so we should now be secure. I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha. Andrew Bartlett (This used to be commit d61061052dc4711f886199e49bc303002c8f9b11)
author: Andrew Bartlett <abartlet@samba.org> 2007-07-19 07:48:26 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 15:01:13 -0500
commit: 3a1b90ec755d89d9d7a358c0f477e51b217218ea (patch)
tree: dfc3c9e1d42ef68d30bfd67a1b6dda11fa9953b7
parent: bb681188407055a7ea77cdaa76600dac37ae3096 (diff)
download: samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.tar.gz
samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.tar.bz2
samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.zip
4 files changed, 112 insertions, 50 deletions
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index 16d34938c6..2313385604 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -80,6 +80,11 @@ _PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token)
 	NTSTATUS status;
 
 	/* Shortcuts to prevent recursion and avoid lookups */
+	if (token->user_sid == NULL) {
+		token->privilege_mask = 0;
+		return NT_STATUS_OK;
+	}
+
 	if (security_token_is_system(token)) {
 		token->privilege_mask = ~0;
 		return NT_STATUS_OK;
diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c
index 94a74e8e2a..33d7f2cf0e 100644
--- a/source4/scripting/ejs/smbcalls_auth.c
+++ b/source4/scripting/ejs/smbcalls_auth.c
@@ -27,6 +27,7 @@
 #include "scripting/ejs/smbcalls.h"
 #include "lib/events/events.h"
 #include "lib/messaging/irpc.h"
+#include "libcli/security/security.h"
 
 static int ejs_doauth(MprVarHandle eid,
 		      TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username, 
@@ -39,6 +40,7 @@ static int ejs_doauth(MprVarHandle eid,
 	struct auth_context *auth_context;
 	struct MprVar *session_info_obj;
 	NTSTATUS nt_status;
+	bool set;
 
 	struct smbcalls_context *c;
 	struct event_context *ev;
@@ -111,6 +113,32 @@ static int ejs_doauth(MprVarHandle eid,
 		goto done;
 	}
 
+	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("USER"));
+		set = true;
+	}
+	
+	if (security_token_has_builtin_administrators(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR"));
+		set = true;
+	}
+
+	if (security_token_is_system(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("SYSTEM"));
+		set = true;
+	}
+
+	if (security_token_is_anonymous(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted"));
+		mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+		goto done;
+	}
+
+	if (!set) {
+		mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
+		mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+	}
+	
 	session_info_obj = mprInitObject(eid, "session_info", 0, NULL);
 
 	mprSetPtrChild(session_info_obj, "session_info", session_info);
@@ -121,6 +149,23 @@ static int ejs_doauth(MprVarHandle eid,
 	mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
 	mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
 
+	if (security_token_is_system(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("SYSTEM"));
+	}
+
+	if (security_token_is_anonymous(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("ANONYMOUS"));
+	}
+
+	if (security_token_has_builtin_administrators(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR"));
+	}
+
+	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("USER"));
+	}
+
+
 done:
 	return 0;
 }
diff --git a/webapps/install/provision.esp b/webapps/install/provision.esp
index 8caa7391b0..6183722cb4 100644
--- a/webapps/install/provision.esp
+++ b/webapps/install/provision.esp
@@ -12,70 +12,77 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
-if (lp.get("realm") == "") {
-	lp.set("realm", lp.get("workgroup") + ".example.com");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+	 || session.authinfo.user_class == "SYSTEM") {
 
-var subobj = provision_guess();
-/* Don't supply default password for web interface */
-subobj.ADMINPASS = "";
+	if (lp.get("realm") == "") {
+		lp.set("realm", lp.get("workgroup") + ".example.com");
+	}
 
-f.add("REALM", "DNS Domain Name");
-f.add("DOMAIN", "NetBIOS Domain Name");
-f.add("HOSTNAME", "Hostname");
-f.add("ADMINPASS", "Administrator Password", "password");
-f.add("CONFIRM", "Confirm Password", "password");
-f.add("DOMAINSID", "Domain SID");
-f.add("HOSTIP", "Host IP");
-f.add("DEFAULTSITE", "Default Site");
-f.submit[0] = "Provision";
-f.submit[1] = "Cancel";
+	var subobj = provision_guess();
+	/* Don't supply default password for web interface */
+	subobj.ADMINPASS = "";
 
-if (form['submit'] == "Cancel") {
-	redirect("/");
-}
+	f.add("REALM", "DNS Domain Name");
+	f.add("DOMAIN", "NetBIOS Domain Name");
+	f.add("HOSTNAME", "Hostname");
+	f.add("ADMINPASS", "Administrator Password", "password");
+	f.add("CONFIRM", "Confirm Password", "password");
+	f.add("DOMAINSID", "Domain SID");
+	f.add("HOSTIP", "Host IP");
+	f.add("DEFAULTSITE", "Default Site");
+	f.submit[0] = "Provision";
+	f.submit[1] = "Cancel";
 
-if (form['submit'] == "Provision") {
-	for (r in form) {
-		subobj[r] = form[r];
+	if (form['submit'] == "Cancel") {
+		redirect("/");
 	}
-}
 
-for (i=0;i<f.element.length;i++) {
-	f.element[i].value = subobj[f.element[i].name];
-}
+	if (form['submit'] == "Provision") {
+		for (r in form) {
+			subobj[r] = form[r];
+		}
+	}
 
-if (form['submit'] == "Provision") {
+	for (i=0;i<f.element.length;i++) {
+		f.element[i].value = subobj[f.element[i].name];
+	}
 
-        /* overcome an initially blank smb.conf */
-	lp.set("realm", subobj.REALM);
-	lp.set("workgroup", subobj.DOMAIN);
-	lp.reload();
-	var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+	if (form['submit'] == "Provision") {
+	
+        	/* overcome an initially blank smb.conf */
+		lp.set("realm", subobj.REALM);
+		lp.set("workgroup", subobj.DOMAIN);
+		lp.reload();
+		var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
 
-	if (!goodpass) {
-		write("<h3>Passwords don't match.  Please try again.</h3>");
-		f.display();
-	} else if (subobj.ADMINPASS == "") {
-		write("<h3>You must choose an administrator password.  Please try again.</h3>");
-		f.display();
-	} else if (!provision_validate(subobj, writefln)) {
-		f.display();
-	} else {
-		var paths = provision_default_paths(subobj);
-		if (!provision(subobj, writefln, false, paths, 
-			       session.authinfo.session_info, session.authinfo.credentials, false)) {
-			writefln("Provision failed!");
-		} else if (!provision_dns(subobj, writefln, paths,
-					  session.authinfo.session_info, session.authinfo.credentials)) {
-			writefln("DNS Provision failed!");
+		if (!goodpass) {
+			write("<h3>Passwords don't match.  Please try again.</h3>");
+			f.display();
+		} else if (subobj.ADMINPASS == "") {
+			write("<h3>You must choose an administrator password.  Please try again.</h3>");
+			f.display();
+		} else if (!provision_validate(subobj, writefln)) {
+			f.display();
 		} else {
-			writefln("Provision Complete!");
+			var paths = provision_default_paths(subobj);
+			if (!provision(subobj, writefln, false, paths, 
+				       session.authinfo.session_info, session.authinfo.credentials, false)) {
+				writefln("Provision failed!");
+			} else if (!provision_dns(subobj, writefln, paths,
+						  session.authinfo.session_info, session.authinfo.credentials)) {
+				writefln("DNS Provision failed!");
+			} else {
+				writefln("Provision Complete!");
+			}
 		}
+	} else {
+		f.display();
 	}
 } else {
-	f.display();
+	redirect("/");
 }
+
 %>
 
 
diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp
index 675bac2ec3..6860b3ac5b 100644
--- a/webapps/install/vampire.esp
+++ b/webapps/install/vampire.esp
@@ -14,6 +14,11 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
+if (session.authinfo.user_class != "ADMINISTRATOR"
+	 && session.authinfo.user_class != "SYSTEM") {
+	redirect("/");
+}
+
 if (lp.get("realm") == "") {
 	lp.set("realm", lp.get("workgroup") + ".example.com");
 }
author	Andrew Bartlett <abartlet@samba.org>	2007-07-19 07:48:26 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 15:01:13 -0500
commit	3a1b90ec755d89d9d7a358c0f477e51b217218ea (patch)
tree	dfc3c9e1d42ef68d30bfd67a1b6dda11fa9953b7
parent	bb681188407055a7ea77cdaa76600dac37ae3096 (diff)
download	samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.tar.gz samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.tar.bz2 samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.zip