diff options
-rw-r--r-- | docs/yodldocs/swat.8.yo | 88 |
1 files changed, 15 insertions, 73 deletions
diff --git a/docs/yodldocs/swat.8.yo b/docs/yodldocs/swat.8.yo index 5d226adcd5..81719f5ccd 100644 --- a/docs/yodldocs/swat.8.yo +++ b/docs/yodldocs/swat.8.yo @@ -21,8 +21,7 @@ addition, a swat configuration page has help links to all the configurable options in the url(bf(smb.conf))(smb.conf.5.html) file allowing an administrator to easily look up the effects of any change. -bf(swat) can be run as a stand-alone daemon, from bf(inetd), -or invoked via CGI from a Web server. +bf(swat) is run from bf(inetd) label(OPTIONS) manpageoptions() @@ -43,14 +42,11 @@ of all the services that the server is to provide. See url(smb.conf label(minusa) dit(bf(-a)) -This option is only used if bf(swat) is running as it's own mini-web -server (see the link(bf(INSTALLATION))(INSTALLATION) section below). +This option disables authentication and puts bf(swat) in demo mode. In +that mode anyone will be able to modify the +url(bf(smb.conf))(smb.conf.5.html) file. -This option removes the need for authentication needed to modify the -url(bf(smb.conf))(smb.conf.5.html) file. em(**THIS IS ONLY MEANT FOR -DEMOING SWAT AND MUST NOT BE SET IN NORMAL SYSTEMS**) as it would -allow em(*ANYONE*) to modify the url(bf(smb.conf))(smb.conf.5.html) -file, thus giving them root access. +Do NOT enable this option on a production server. endit() @@ -67,14 +63,11 @@ verb( /usr/local/samba/swat/help/* ) -label(RUNNINGVIAINETD) -manpagesection(RUNNING VIA INETD) +label(INETD) +manpagesection(INETD INSTALLATION) You need to edit your tt(/etc/inetd.conf) and tt(/etc/services) to -enable bf(SWAT) to be launched via inetd. Note that bf(swat) can also -be launched via the cgi-bin mechanisms of a web server (such as -apache) and that is described below in the section link(bf(RUNNING VIA -CGI-BIN))(RUNNINGVIACGIBIN). +enable bf(SWAT) to be launched via inetd. In tt(/etc/services) you need to add a line like this: @@ -92,83 +85,32 @@ In tt(/etc/inetd.conf) you should add a line like this: tt(swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat) -If you just want to see a demo of how swat works and don't want to be -able to actually change any Samba config via swat then you may chose -to change tt("root") to some other user that does not have permission -to write to url(bf(smb.conf))(smb.conf.5.html). - One you have edited tt(/etc/services) and tt(/etc/inetd.conf) you need to send a HUP signal to inetd. To do this use tt("kill -1 PID") where PID is the process ID of the inetd daemon. -label(RUNNINGVIACGIBIN) -manpagesection(RUNNING VIA CGI-BIN) - -To run bf(swat) via your web servers cgi-bin capability you need to -copy the bf(swat) binary to your cgi-bin directory. Note that you -should run bf(swat) either via link(bf(inetd))(RUNNINGVIAINETD) or via -cgi-bin but not both. - -Then you need to create a tt(swat/) directory in your web servers root -directory and copy the tt(images/*) and tt(help/*) files found in the -tt(swat/) directory of your Samba source distribution into there so -that they are visible via the URL tt(http://your.web.server/swat/) - -Next you need to make sure you modify your web servers authentication -to require a username/pssword for the URL -tt(http://your.web.server/cgi-bin/swat). em(**Don't forget this -step!**) If you do forget it then you will be allowing anyone to edit -your Samba configuration which would allow them to easily gain root -access on your machine. - -After testing the authentication you need to change the ownership and -permissions on the bf(swat) binary. It should be owned by root with the -setuid bit set. It should be ONLY executable by the user that the web -server runs as. Make sure you do this carefully! - -for example, the following would be correct if the web server ran as -group tt("nobody"). - -tt(-rws--x--- 1 root nobody ) - -You must also realize that this means that any user who can run -programs as the tt("nobody") group can run bf(swat) and modify your -Samba config. Be sure to think about this! - label(LAUNCHING) manpagesection(LAUNCHING) To launch bf(swat) just run your favorite web browser and point it at -tt(http://localhost:901/) or tt(http://localhost/cgi-bin/swat/) -depending on how you installed it. +tt(http://localhost:901/). -Note that you can attach to bf(swat) from any IP connected machine but +bf(Note that you can attach to bf(swat) from any IP connected machine but connecting from a remote machine leaves your connection open to password sniffing as passwords will be sent in the clear over the -wire. - -If installed via bf(inetd) then you should be prompted for a -username/password when you connect. You will need to provide the -username tt("root") and the correct root password. More sophisticated -authentication options are planned for future versions of bf(swat). - -If installed via cgi-bin then you should receive whatever -authentication request you configured in your web server. +wire.) manpagefiles() bf(/etc/inetd.conf) -If the server is to be run by the inetd meta-daemon, this file must -contain suitable startup information for the meta-daemon. See the -section link(bf(RUNNING VIA INETD))(RUNNINGVIAINETD) above. +This file must contain suitable startup information for the +meta-daemon. bf(/etc/services) -If running the server via the meta-daemon inetd, this file must -contain a mapping of service name (e.g., swat) to service port -(e.g., 901) and protocol type (e.g., tcp). See the section -link(bf(RUNNING VIA INETD))(RUNNINGVIAINETD) above. +This file must contain a mapping of service name (e.g., swat) to +service port (e.g., 901) and protocol type (e.g., tcp). bf(/usr/local/samba/lib/smb.conf) |