r23994: Finish my work to ensure that non-root and non-administrator users

cannot vampire, provision or upgrade a Samba4 server via SWAT.

(The previous commit was an accident, and not complete).

This should get Samba4 closer to being 'secure' for an alpha release.

Andrew Bartlett
(This used to be commit 3b6695de36bcea8a76001c9a5585eac871646450)

4 files changed, 193 insertions, 166 deletions

diff --git a/webapps/install/index.esp b/webapps/install/index.esp
index 5a73b7751f..73b7ea24d5 100644
--- a/webapps/install/index.esp
+++ b/webapps/install/index.esp
@@ -1,20 +1,40 @@
 <% page_header("columns", "Server Installation", "install"); 
+
+if (session.authinfo.user_class == "ADMINISTRATOR"
+	 || session.authinfo.user_class == "SYSTEM") {
+
 %>
 
 <h1>Installation</h1>
 
-Welcome to Samba4 installation. Before proceeding, you will need to
-know:
+<p>Welcome to Samba4 installation. Before proceeding, you will need to
+know: </p>
 
 <ul>
 <li>The domain name you will use
 <li>The realm name you will use
 </ul>
 
-After you have decided on those, choose the 'Provisioning' menu item
-on the left, and fill in the form.<p>
+<p>After you have decided on those, choose the 'Provisioning' menu item
+on the left, and fill in the form.</p>
+
+<p><b>Warning!</b> When you provision, your existing user database is
+wiped and replaced with a new one.</p>
+
+<% 
+
+} else {
+
+%>
+
+<h1>Installation</h1>
+
+<p>To install Samba4, you must have logged in as <b>root</b>, or administrator of the previously configured domain. </p>
+
+<p><b>Warning!</b> When you provision, your existing user database is
+wiped and replaced with a new one. </p>
 
-<b>Warning!</b> When you provision, your existing user database is
-wiped and replaced with a new one.
+<% 
 
-<% page_footer(); %>
+}
+page_footer(); %>
diff --git a/webapps/install/samba3.esp b/webapps/install/samba3.esp
index 31857c01e9..c6fc9f1418 100644
--- a/webapps/install/samba3.esp
+++ b/webapps/install/samba3.esp
@@ -15,91 +15,97 @@
 <h1>Import from Samba3</h1>
 
 <%
-if (form['submit'] == "Cancel") {
-	redirect("/");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+    || session.authinfo.user_class == "SYSTEM") {
 
-function confirm_form()
-{
-	var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
-
-	var subobj = upgrade_provision(samba3);
-	var f = FormObj("Import from Samba3", 0, 2);
-	subobj.ADMINPASS = "";
-
-	f.add("REALM", "Realm");
-	f.add("DOMAIN", "Domain Name");
-	f.add("HOSTNAME", "Hostname");
-	f.add("ADMINPASS", "Administrator Password", "password");
-	f.add("CONFIRM", "Confirm Password", "password");
-	f.add("DOMAINSID", "Domain SID");
-	f.add("HOSTGUID", "Host GUID");
-	f.add("HOSTIP", "Host IP");
-	f.add("DEFAULTSITE", "Default Site");
-
-	for (i=0;i<f.element.length;i++) {
-		f.element[i].value = subobj[f.element[i].name];
+	if (form['submit'] == "Cancel") {
+		redirect("/");
 	}
 
-	f.add("SMBCONF", "", "hidden", form['SMBCONF']);
-	f.add("LIBDIR", "", "hidden", form['LIBDIR']);
+	function confirm_form()
+	{
+		var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
+
+		var subobj = upgrade_provision(samba3);
+		var f = FormObj("Import from Samba3", 0, 2);
+		subobj.ADMINPASS = "";
+
+		f.add("REALM", "Realm");
+		f.add("DOMAIN", "Domain Name");
+		f.add("HOSTNAME", "Hostname");
+		f.add("ADMINPASS", "Administrator Password", "password");
+		f.add("CONFIRM", "Confirm Password", "password");
+		f.add("DOMAINSID", "Domain SID");
+		f.add("HOSTGUID", "Host GUID");
+		f.add("HOSTIP", "Host IP");
+		f.add("DEFAULTSITE", "Default Site");
+
+		for (i=0;i<f.element.length;i++) {
+			f.element[i].value = subobj[f.element[i].name];
+		}
 
-	f.submit[0] = "Continue";
-	f.submit[1] = "Cancel";
-	f.display();	
-}
+		f.add("SMBCONF", "", "hidden", form['SMBCONF']);
+		f.add("LIBDIR", "", "hidden", form['LIBDIR']);
 
-if (form['submit'] == "Import") {
-	confirm_form();
-} else if (form['submit'] == "Continue") {
-	var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
-	assert(samba3 != undefined);
-	var subobj = upgrade_provision(samba3);
-	for (r in form) {
-		subobj[r] = form[r];
+		f.submit[0] = "Continue";
+		f.submit[1] = "Cancel";
+		f.display();	
 	}
 
-	var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
-
-	if (!goodpass) {
-		write("<h3>Passwords don't match.  Please try again.</h3>");
-		confirm_form();
-	} else if (subobj.ADMINPASS == "") {
-		write("<h3>You must choose an administrator password.  Please try again.</h3>");
+	if (form['submit'] == "Import") {
 		confirm_form();
-	} else {
-		var paths = provision_default_paths(subobj);
-		if (!provision(subobj, writefln, true, paths, 
-			       session.authinfo.session_info, session.authinfo.credentials)) {
-			writefln("Provision failed!");
-		} else { 
-			var ret = upgrade(subobj,samba3,message,paths,
-					  session.authinfo.session_info, session.authinfo.credentials);
-			if (ret > 0) {
-				writefln("Failed to import %d entries\n", ret);
-			} else {
-				if (!provision_dns(subobj, writefln, paths,
-						   session.authinfo.session_info, session.authinfo.credentials)) {
-					writefln("DNS Provision failed!");
+	} else if (form['submit'] == "Continue") {
+		var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
+		assert(samba3 != undefined);
+		var subobj = upgrade_provision(samba3);
+		for (r in form) {
+			subobj[r] = form[r];
+		}
+
+		var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+
+		if (!goodpass) {
+			write("<h3>Passwords don't match.  Please try again.</h3>");
+			confirm_form();
+		} else if (subobj.ADMINPASS == "") {
+			write("<h3>You must choose an administrator password.  Please try again.</h3>");
+			confirm_form();
+		} else {
+			var paths = provision_default_paths(subobj);
+			if (!provision(subobj, writefln, true, paths, 
+				       session.authinfo.session_info, session.authinfo.credentials)) {
+				writefln("Provision failed!");
+			} else { 
+				var ret = upgrade(subobj,samba3,message,paths,
+						  session.authinfo.session_info, session.authinfo.credentials);
+				if (ret > 0) {
+					writefln("Failed to import %d entries\n", ret);
 				} else {
-					writefln("Reloading smb.conf\n");
-					var lp = loadparm_init();
-					lp.reload();
-					writefln("Upgrade Complete!");
+					if (!provision_dns(subobj, writefln, paths,
+							   session.authinfo.session_info, session.authinfo.credentials)) {
+						writefln("DNS Provision failed!");
+					} else {
+						writefln("Reloading smb.conf\n");
+						var lp = loadparm_init();
+						lp.reload();
+						writefln("Upgrade Complete!");
+					}
 				}
 			}
 		}
-	}
-} else {
-	var f = FormObj("Import from Samba3", 0, 2);
+	} else {
+		var f = FormObj("Import from Samba3", 0, 2);
 
-	f.add("SMBCONF", "smb.conf file", "text", "/etc/samba/smb.conf");
-	f.add("LIBDIR", "Lib directory", "text", "/var/lib/samba");
-	f.submit[0] = "Import";
-	f.submit[1] = "Cancel";
+		f.add("SMBCONF", "smb.conf file", "text", "/etc/samba/smb.conf");
+		f.add("LIBDIR", "Lib directory", "text", "/var/lib/samba");
+		f.submit[0] = "Import";
+		f.submit[1] = "Cancel";
 
-	write('<p>Warning: This will erase your current configuration!</p>');
-	f.display();
+		write('<p>Warning: This will erase your current configuration!</p>');
+		f.display();
+	}
+} else {
+	redirect("/");
 }
 %>
 
diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp
index 6860b3ac5b..e0c895404c 100644
--- a/webapps/install/vampire.esp
+++ b/webapps/install/vampire.esp
@@ -14,111 +14,111 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
-if (session.authinfo.user_class != "ADMINISTRATOR"
-	 && session.authinfo.user_class != "SYSTEM") {
-	redirect("/");
-}
-
-if (lp.get("realm") == "") {
-	lp.set("realm", lp.get("workgroup") + ".example.com");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+	 || session.authinfo.user_class == "SYSTEM") {
 
+	if (lp.get("realm") == "") {
+		lp.set("realm", lp.get("workgroup") + ".example.com");
+	}
 
-var subobj = provision_guess();
-/* Don't supply default password for web interface */
-subobj.ADMINPASS = "";
 
-f.add("REALM", "DNS Domain Name");
-f.add("DOMAIN", "NetBIOS Domain Name");
-f.add("ADMIN", "Administrator Username");
-f.add("ADMINPASS", "Administrator Password", "password");
-f.add("HOSTNAME", "My Hostname");
-f.add("HOSTIP", "My Host's IP");
-f.add("DEFAULTSITE", "Default Site");
-f.submit[0] = "Migrate";
-f.submit[1] = "Cancel";
+	var subobj = provision_guess();
+	/* Don't supply default password for web interface */
+	subobj.ADMINPASS = "";
 
-if (form['submit'] == "Cancel") {
-	redirect("/");
-}
+	f.add("REALM", "DNS Domain Name");
+	f.add("DOMAIN", "NetBIOS Domain Name");
+	f.add("ADMIN", "Administrator Username");
+	f.add("ADMINPASS", "Administrator Password", "password");
+	f.add("HOSTNAME", "My Hostname");
+	f.add("HOSTIP", "My Host's IP");
+	f.add("DEFAULTSITE", "Default Site");
+	f.submit[0] = "Migrate";
+	f.submit[1] = "Cancel";
 
-if (form['submit'] == "Migrate") {
-	for (r in form) {
-		subobj[r] = form[r];
+	if (form['submit'] == "Cancel") {
+		redirect("/");
 	}
-}
-
-for (i=0;i<f.element.length;i++) {
-	f.element[i].value = subobj[f.element[i].name];
-}
 
-if (form['submit'] == "Migrate") {
-	lp.set("realm", subobj.REALM);
-	if (subobj.ADMINPASS == "") {
-		write("<h3>We need the administrator password for the " + subobj.DOMAIN + " domain to proceed.  Please try again.</h3>");
-		f.display();
-	} else if (!provision_validate(subobj, writefln)) {
-		f.display();
-	} else if (strupper(lp.get("server role")) == "domain controller") {
-		writefln("You need to set 'server role' to 'member server' before starting the migration process");
-	} else {
-		var creds = credentials_init();
-		var samdb;
-		creds.set_username(form.ADMIN);
-		creds.set_password(form.ADMINPASS);
-		creds.set_domain(form.DOMAIN);
-		creds.set_realm(form.REALM);
-
-		var info = new Object();
-		var paths = provision_default_paths(subobj);
-		var session_info = session.authinfo.session_info;
-		var credentials = session.authinfo.credentials;
-
-		info.credentials = credentials;
-		info.session_info = session_info;
-		info.message = writefln;
-		info.subobj = subobj;
-
-		/* Setup a basic database structure, but don't setup any users */
-		if (!provision(subobj, writefln, true, paths,
-			       session_info, credentials, false)) {
-			writefln("Provision failed!");
-
-		/* Join domain */
-		} else if (!join_domain(form.DOMAIN, form.HOSTNAME, misc.SEC_CHAN_BDC, creds, writefln)) {
-			writefln("Domain Join failed!");
+	if (form['submit'] == "Migrate") {
+		for (r in form) {
+			subobj[r] = form[r];
+		}
+	}
+	
+	for (i=0;i<f.element.length;i++) {
+		f.element[i].value = subobj[f.element[i].name];
+	}
+	
+	if (form['submit'] == "Migrate") {
+		lp.set("realm", subobj.REALM);
+		if (subobj.ADMINPASS == "") {
+			write("<h3>We need the administrator password for the " + subobj.DOMAIN + " domain to proceed.  Please try again.</h3>");
+			f.display();
+		} else if (!provision_validate(subobj, writefln)) {
+			f.display();
+		} else if (strupper(lp.get("server role")) == "domain controller") {
+			writefln("You need to set 'server role' to 'member server' before starting the migration process");
+		} else {
+			var creds = credentials_init();
+			var samdb;
+			creds.set_username(form.ADMIN);
+			creds.set_password(form.ADMINPASS);
+			creds.set_domain(form.DOMAIN);
+			creds.set_realm(form.REALM);
+
+			var info = new Object();
+			var paths = provision_default_paths(subobj);
+			var session_info = session.authinfo.session_info;
+			var credentials = session.authinfo.credentials;
+
+			info.credentials = credentials;
+			info.session_info = session_info;
+			info.message = writefln;
+			info.subobj = subobj;
+
+			/* Setup a basic database structure, but don't setup any users */
+			if (!provision(subobj, writefln, true, paths,
+				       session_info, credentials, false)) {
+				writefln("Provision failed!");
+
+				/* Join domain */
+			} else if (!join_domain(form.DOMAIN, form.HOSTNAME, misc.SEC_CHAN_BDC, creds, writefln)) {
+				writefln("Domain Join failed!");
 			
-                /* Vampire */
-		} else if (!vampire(form.DOMAIN, session.authinfo.session_info, 
+				/* Vampire */
+			} else if (!vampire(form.DOMAIN, session.authinfo.session_info, 
 					    session.authinfo.credentials, writefln)) {
-			writefln("Failed to syncronsise remote domain into local database!");
-		} else if (!provision_dns(subobj, writefln, paths,
-					  session.authinfo.session_info, session.authinfo.credentials)) {
-			writefln("DNS Provision failed!");
-		} else if (!(samdb = open_ldb(info, paths.samdb, false))) {
-			writefln("Opening " + paths.samdb + " failed!");
-			info.samdb = samdb;
-		} else if (!setup_name_mappings(info, samdb)) {
-			writefln("Setup of name mappings failed!");			
-		} else {
-			var zonepath = paths.dns;
-			%>
+				writefln("Failed to syncronsise remote domain into local database!");
+			} else if (!provision_dns(subobj, writefln, paths,
+						  session.authinfo.session_info, session.authinfo.credentials)) {
+				writefln("DNS Provision failed!");
+			} else if (!(samdb = open_ldb(info, paths.samdb, false))) {
+				writefln("Opening " + paths.samdb + " failed!");
+				info.samdb = samdb;
+			} else if (!setup_name_mappings(info, samdb)) {
+				writefln("Setup of name mappings failed!");			
+			} else {
+				var zonepath = paths.dns;
+				%>
 <h3>Database migrated!</h3>
-
 You need to do the following to complete the process:
-
 <ul>
-<li>Install the <b>@@zonepath</b> zone file into your bind install, and restart bind
-<li>Change your smb.conf to set "server role = domain controller"
-<li>Shutdown your existing PDC and any other DCs
-<li>Restart smbd
+	<li>Install the <b>@@zonepath</b> zone file into your bind install, and restart bind
+	<li>Change your smb.conf to set "server role = domain controller"
+	<li>Shutdown your existing PDC and any other DCs
+	<li>Restart smbd
 </ul>
-			<%
+<%
+			}
 		}
+	} else {
+		f.display();
 	}
 } else {
-	f.display();
+	redirect("/");
 }
+
 %>
 
 
diff --git a/webapps/login.esp b/webapps/login.esp
index 8d6c049d02..9e9f6f9903 100644
--- a/webapps/login.esp
+++ b/webapps/login.esp
@@ -39,6 +39,7 @@ f.display();
 			session.authinfo.domain = auth.domain;
 			session.authinfo.credentials = creds;
 			session.authinfo.session_info = auth.session_info;
+			session.authinfo.user_class = auth.user_class;
 			
 			/* if the user was asking for the login page, then now
 			   redirect them to the main page. Otherwise just