diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-07-19 07:48:26 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 15:01:13 -0500 |
commit | 3a1b90ec755d89d9d7a358c0f477e51b217218ea (patch) | |
tree | dfc3c9e1d42ef68d30bfd67a1b6dda11fa9953b7 /webapps/install | |
parent | bb681188407055a7ea77cdaa76600dac37ae3096 (diff) | |
download | samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.tar.gz samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.tar.bz2 samba-3a1b90ec755d89d9d7a358c0f477e51b217218ea.zip |
r23966: It isn't great, but at least now we have some access control in SWAT
This patch prevents non-root and non-administrator users from running
the provision, upgrade and vampire pages. *I think* the rest of SWAT
is LDB operations, or otherwise authenticated, so we should now be
secure.
I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha.
Andrew Bartlett
(This used to be commit d61061052dc4711f886199e49bc303002c8f9b11)
Diffstat (limited to 'webapps/install')
-rw-r--r-- | webapps/install/provision.esp | 107 | ||||
-rw-r--r-- | webapps/install/vampire.esp | 5 |
2 files changed, 62 insertions, 50 deletions
diff --git a/webapps/install/provision.esp b/webapps/install/provision.esp index 8caa7391b0..6183722cb4 100644 --- a/webapps/install/provision.esp +++ b/webapps/install/provision.esp @@ -12,70 +12,77 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); -if (lp.get("realm") == "") { - lp.set("realm", lp.get("workgroup") + ".example.com"); -} +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { -var subobj = provision_guess(); -/* Don't supply default password for web interface */ -subobj.ADMINPASS = ""; + if (lp.get("realm") == "") { + lp.set("realm", lp.get("workgroup") + ".example.com"); + } -f.add("REALM", "DNS Domain Name"); -f.add("DOMAIN", "NetBIOS Domain Name"); -f.add("HOSTNAME", "Hostname"); -f.add("ADMINPASS", "Administrator Password", "password"); -f.add("CONFIRM", "Confirm Password", "password"); -f.add("DOMAINSID", "Domain SID"); -f.add("HOSTIP", "Host IP"); -f.add("DEFAULTSITE", "Default Site"); -f.submit[0] = "Provision"; -f.submit[1] = "Cancel"; + var subobj = provision_guess(); + /* Don't supply default password for web interface */ + subobj.ADMINPASS = ""; -if (form['submit'] == "Cancel") { - redirect("/"); -} + f.add("REALM", "DNS Domain Name"); + f.add("DOMAIN", "NetBIOS Domain Name"); + f.add("HOSTNAME", "Hostname"); + f.add("ADMINPASS", "Administrator Password", "password"); + f.add("CONFIRM", "Confirm Password", "password"); + f.add("DOMAINSID", "Domain SID"); + f.add("HOSTIP", "Host IP"); + f.add("DEFAULTSITE", "Default Site"); + f.submit[0] = "Provision"; + f.submit[1] = "Cancel"; -if (form['submit'] == "Provision") { - for (r in form) { - subobj[r] = form[r]; + if (form['submit'] == "Cancel") { + redirect("/"); } -} -for (i=0;i<f.element.length;i++) { - f.element[i].value = subobj[f.element[i].name]; -} + if (form['submit'] == "Provision") { + for (r in form) { + subobj[r] = form[r]; + } + } -if (form['submit'] == "Provision") { + for (i=0;i<f.element.length;i++) { + f.element[i].value = subobj[f.element[i].name]; + } - /* overcome an initially blank smb.conf */ - lp.set("realm", subobj.REALM); - lp.set("workgroup", subobj.DOMAIN); - lp.reload(); - var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); + if (form['submit'] == "Provision") { + + /* overcome an initially blank smb.conf */ + lp.set("realm", subobj.REALM); + lp.set("workgroup", subobj.DOMAIN); + lp.reload(); + var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); - if (!goodpass) { - write("<h3>Passwords don't match. Please try again.</h3>"); - f.display(); - } else if (subobj.ADMINPASS == "") { - write("<h3>You must choose an administrator password. Please try again.</h3>"); - f.display(); - } else if (!provision_validate(subobj, writefln)) { - f.display(); - } else { - var paths = provision_default_paths(subobj); - if (!provision(subobj, writefln, false, paths, - session.authinfo.session_info, session.authinfo.credentials, false)) { - writefln("Provision failed!"); - } else if (!provision_dns(subobj, writefln, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("DNS Provision failed!"); + if (!goodpass) { + write("<h3>Passwords don't match. Please try again.</h3>"); + f.display(); + } else if (subobj.ADMINPASS == "") { + write("<h3>You must choose an administrator password. Please try again.</h3>"); + f.display(); + } else if (!provision_validate(subobj, writefln)) { + f.display(); } else { - writefln("Provision Complete!"); + var paths = provision_default_paths(subobj); + if (!provision(subobj, writefln, false, paths, + session.authinfo.session_info, session.authinfo.credentials, false)) { + writefln("Provision failed!"); + } else if (!provision_dns(subobj, writefln, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("DNS Provision failed!"); + } else { + writefln("Provision Complete!"); + } } + } else { + f.display(); } } else { - f.display(); + redirect("/"); } + %> diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp index 675bac2ec3..6860b3ac5b 100644 --- a/webapps/install/vampire.esp +++ b/webapps/install/vampire.esp @@ -14,6 +14,11 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); +if (session.authinfo.user_class != "ADMINISTRATOR" + && session.authinfo.user_class != "SYSTEM") { + redirect("/"); +} + if (lp.get("realm") == "") { lp.set("realm", lp.get("workgroup") + ".example.com"); } |