From 3a1b90ec755d89d9d7a358c0f477e51b217218ea Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 19 Jul 2007 07:48:26 +0000 Subject: r23966: It isn't great, but at least now we have some access control in SWAT This patch prevents non-root and non-administrator users from running the provision, upgrade and vampire pages. *I think* the rest of SWAT is LDB operations, or otherwise authenticated, so we should now be secure. I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha. Andrew Bartlett (This used to be commit d61061052dc4711f886199e49bc303002c8f9b11) --- source4/dsdb/samdb/samdb_privilege.c | 5 ++ source4/scripting/ejs/smbcalls_auth.c | 45 ++++++++++++++ webapps/install/provision.esp | 107 ++++++++++++++++++---------------- webapps/install/vampire.esp | 5 ++ 4 files changed, 112 insertions(+), 50 deletions(-) diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index 16d34938c6..2313385604 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -80,6 +80,11 @@ _PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token) NTSTATUS status; /* Shortcuts to prevent recursion and avoid lookups */ + if (token->user_sid == NULL) { + token->privilege_mask = 0; + return NT_STATUS_OK; + } + if (security_token_is_system(token)) { token->privilege_mask = ~0; return NT_STATUS_OK; diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c index 94a74e8e2a..33d7f2cf0e 100644 --- a/source4/scripting/ejs/smbcalls_auth.c +++ b/source4/scripting/ejs/smbcalls_auth.c @@ -27,6 +27,7 @@ #include "scripting/ejs/smbcalls.h" #include "lib/events/events.h" #include "lib/messaging/irpc.h" +#include "libcli/security/security.h" static int ejs_doauth(MprVarHandle eid, TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username, @@ -39,6 +40,7 @@ static int ejs_doauth(MprVarHandle eid, struct auth_context *auth_context; struct MprVar *session_info_obj; NTSTATUS nt_status; + bool set; struct smbcalls_context *c; struct event_context *ev; @@ -111,6 +113,32 @@ static int ejs_doauth(MprVarHandle eid, goto done; } + if (security_token_has_nt_authenticated_users(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("USER")); + set = true; + } + + if (security_token_has_builtin_administrators(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR")); + set = true; + } + + if (security_token_is_system(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("SYSTEM")); + set = true; + } + + if (security_token_is_anonymous(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted")); + mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); + goto done; + } + + if (!set) { + mprSetPropertyValue(auth, "report", mprString("Session Info generation failed")); + mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); + } + session_info_obj = mprInitObject(eid, "session_info", 0, NULL); mprSetPtrChild(session_info_obj, "session_info", session_info); @@ -121,6 +149,23 @@ static int ejs_doauth(MprVarHandle eid, mprSetPropertyValue(auth, "username", mprString(server_info->account_name)); mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name)); + if (security_token_is_system(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("SYSTEM")); + } + + if (security_token_is_anonymous(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("ANONYMOUS")); + } + + if (security_token_has_builtin_administrators(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR")); + } + + if (security_token_has_nt_authenticated_users(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("USER")); + } + + done: return 0; } diff --git a/webapps/install/provision.esp b/webapps/install/provision.esp index 8caa7391b0..6183722cb4 100644 --- a/webapps/install/provision.esp +++ b/webapps/install/provision.esp @@ -12,70 +12,77 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); -if (lp.get("realm") == "") { - lp.set("realm", lp.get("workgroup") + ".example.com"); -} +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { -var subobj = provision_guess(); -/* Don't supply default password for web interface */ -subobj.ADMINPASS = ""; + if (lp.get("realm") == "") { + lp.set("realm", lp.get("workgroup") + ".example.com"); + } -f.add("REALM", "DNS Domain Name"); -f.add("DOMAIN", "NetBIOS Domain Name"); -f.add("HOSTNAME", "Hostname"); -f.add("ADMINPASS", "Administrator Password", "password"); -f.add("CONFIRM", "Confirm Password", "password"); -f.add("DOMAINSID", "Domain SID"); -f.add("HOSTIP", "Host IP"); -f.add("DEFAULTSITE", "Default Site"); -f.submit[0] = "Provision"; -f.submit[1] = "Cancel"; + var subobj = provision_guess(); + /* Don't supply default password for web interface */ + subobj.ADMINPASS = ""; -if (form['submit'] == "Cancel") { - redirect("/"); -} + f.add("REALM", "DNS Domain Name"); + f.add("DOMAIN", "NetBIOS Domain Name"); + f.add("HOSTNAME", "Hostname"); + f.add("ADMINPASS", "Administrator Password", "password"); + f.add("CONFIRM", "Confirm Password", "password"); + f.add("DOMAINSID", "Domain SID"); + f.add("HOSTIP", "Host IP"); + f.add("DEFAULTSITE", "Default Site"); + f.submit[0] = "Provision"; + f.submit[1] = "Cancel"; -if (form['submit'] == "Provision") { - for (r in form) { - subobj[r] = form[r]; + if (form['submit'] == "Cancel") { + redirect("/"); } -} -for (i=0;iPasswords don't match. Please try again."); - f.display(); - } else if (subobj.ADMINPASS == "") { - write("

You must choose an administrator password. Please try again.

"); - f.display(); - } else if (!provision_validate(subobj, writefln)) { - f.display(); - } else { - var paths = provision_default_paths(subobj); - if (!provision(subobj, writefln, false, paths, - session.authinfo.session_info, session.authinfo.credentials, false)) { - writefln("Provision failed!"); - } else if (!provision_dns(subobj, writefln, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("DNS Provision failed!"); + if (!goodpass) { + write("

Passwords don't match. Please try again.

"); + f.display(); + } else if (subobj.ADMINPASS == "") { + write("

You must choose an administrator password. Please try again.

"); + f.display(); + } else if (!provision_validate(subobj, writefln)) { + f.display(); } else { - writefln("Provision Complete!"); + var paths = provision_default_paths(subobj); + if (!provision(subobj, writefln, false, paths, + session.authinfo.session_info, session.authinfo.credentials, false)) { + writefln("Provision failed!"); + } else if (!provision_dns(subobj, writefln, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("DNS Provision failed!"); + } else { + writefln("Provision Complete!"); + } } + } else { + f.display(); } } else { - f.display(); + redirect("/"); } + %> diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp index 675bac2ec3..6860b3ac5b 100644 --- a/webapps/install/vampire.esp +++ b/webapps/install/vampire.esp @@ -14,6 +14,11 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); +if (session.authinfo.user_class != "ADMINISTRATOR" + && session.authinfo.user_class != "SYSTEM") { + redirect("/"); +} + if (lp.get("realm") == "") { lp.set("realm", lp.get("workgroup") + ".example.com"); } -- cgit