From ae0115d8dbf05c52c631ea915f036a2129cd033e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Jul 2007 02:10:11 +0000 Subject: r23994: Finish my work to ensure that non-root and non-administrator users cannot vampire, provision or upgrade a Samba4 server via SWAT. (The previous commit was an accident, and not complete). This should get Samba4 closer to being 'secure' for an alpha release. Andrew Bartlett (This used to be commit 3b6695de36bcea8a76001c9a5585eac871646450) --- webapps/install/index.esp | 34 +++++++-- webapps/install/samba3.esp | 148 +++++++++++++++++++------------------ webapps/install/vampire.esp | 176 ++++++++++++++++++++++---------------------- webapps/login.esp | 1 + 4 files changed, 193 insertions(+), 166 deletions(-) (limited to 'webapps') diff --git a/webapps/install/index.esp b/webapps/install/index.esp index 5a73b7751f..73b7ea24d5 100644 --- a/webapps/install/index.esp +++ b/webapps/install/index.esp @@ -1,20 +1,40 @@ <% page_header("columns", "Server Installation", "install"); + +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { + %>

Installation

-Welcome to Samba4 installation. Before proceeding, you will need to -know: +

Welcome to Samba4 installation. Before proceeding, you will need to +know:

-After you have decided on those, choose the 'Provisioning' menu item -on the left, and fill in the form.

+

After you have decided on those, choose the 'Provisioning' menu item +on the left, and fill in the form.

+ +

Warning! When you provision, your existing user database is +wiped and replaced with a new one.

+ +<% + +} else { + +%> + +

Installation

+ +

To install Samba4, you must have logged in as root, or administrator of the previously configured domain.

+ +

Warning! When you provision, your existing user database is +wiped and replaced with a new one.

-Warning! When you provision, your existing user database is -wiped and replaced with a new one. +<% -<% page_footer(); %> +} +page_footer(); %> diff --git a/webapps/install/samba3.esp b/webapps/install/samba3.esp index 31857c01e9..c6fc9f1418 100644 --- a/webapps/install/samba3.esp +++ b/webapps/install/samba3.esp @@ -15,91 +15,97 @@

Import from Samba3

<% -if (form['submit'] == "Cancel") { - redirect("/"); -} +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { -function confirm_form() -{ - var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']); - - var subobj = upgrade_provision(samba3); - var f = FormObj("Import from Samba3", 0, 2); - subobj.ADMINPASS = ""; - - f.add("REALM", "Realm"); - f.add("DOMAIN", "Domain Name"); - f.add("HOSTNAME", "Hostname"); - f.add("ADMINPASS", "Administrator Password", "password"); - f.add("CONFIRM", "Confirm Password", "password"); - f.add("DOMAINSID", "Domain SID"); - f.add("HOSTGUID", "Host GUID"); - f.add("HOSTIP", "Host IP"); - f.add("DEFAULTSITE", "Default Site"); - - for (i=0;iPasswords don't match. Please try again."); - confirm_form(); - } else if (subobj.ADMINPASS == "") { - write("

You must choose an administrator password. Please try again.

"); + if (form['submit'] == "Import") { confirm_form(); - } else { - var paths = provision_default_paths(subobj); - if (!provision(subobj, writefln, true, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("Provision failed!"); - } else { - var ret = upgrade(subobj,samba3,message,paths, - session.authinfo.session_info, session.authinfo.credentials); - if (ret > 0) { - writefln("Failed to import %d entries\n", ret); - } else { - if (!provision_dns(subobj, writefln, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("DNS Provision failed!"); + } else if (form['submit'] == "Continue") { + var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']); + assert(samba3 != undefined); + var subobj = upgrade_provision(samba3); + for (r in form) { + subobj[r] = form[r]; + } + + var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); + + if (!goodpass) { + write("

Passwords don't match. Please try again.

"); + confirm_form(); + } else if (subobj.ADMINPASS == "") { + write("

You must choose an administrator password. Please try again.

"); + confirm_form(); + } else { + var paths = provision_default_paths(subobj); + if (!provision(subobj, writefln, true, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("Provision failed!"); + } else { + var ret = upgrade(subobj,samba3,message,paths, + session.authinfo.session_info, session.authinfo.credentials); + if (ret > 0) { + writefln("Failed to import %d entries\n", ret); } else { - writefln("Reloading smb.conf\n"); - var lp = loadparm_init(); - lp.reload(); - writefln("Upgrade Complete!"); + if (!provision_dns(subobj, writefln, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("DNS Provision failed!"); + } else { + writefln("Reloading smb.conf\n"); + var lp = loadparm_init(); + lp.reload(); + writefln("Upgrade Complete!"); + } } } } - } -} else { - var f = FormObj("Import from Samba3", 0, 2); + } else { + var f = FormObj("Import from Samba3", 0, 2); - f.add("SMBCONF", "smb.conf file", "text", "/etc/samba/smb.conf"); - f.add("LIBDIR", "Lib directory", "text", "/var/lib/samba"); - f.submit[0] = "Import"; - f.submit[1] = "Cancel"; + f.add("SMBCONF", "smb.conf file", "text", "/etc/samba/smb.conf"); + f.add("LIBDIR", "Lib directory", "text", "/var/lib/samba"); + f.submit[0] = "Import"; + f.submit[1] = "Cancel"; - write('

Warning: This will erase your current configuration!

'); - f.display(); + write('

Warning: This will erase your current configuration!

'); + f.display(); + } +} else { + redirect("/"); } %> diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp index 6860b3ac5b..e0c895404c 100644 --- a/webapps/install/vampire.esp +++ b/webapps/install/vampire.esp @@ -14,111 +14,111 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); -if (session.authinfo.user_class != "ADMINISTRATOR" - && session.authinfo.user_class != "SYSTEM") { - redirect("/"); -} - -if (lp.get("realm") == "") { - lp.set("realm", lp.get("workgroup") + ".example.com"); -} +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { + if (lp.get("realm") == "") { + lp.set("realm", lp.get("workgroup") + ".example.com"); + } -var subobj = provision_guess(); -/* Don't supply default password for web interface */ -subobj.ADMINPASS = ""; -f.add("REALM", "DNS Domain Name"); -f.add("DOMAIN", "NetBIOS Domain Name"); -f.add("ADMIN", "Administrator Username"); -f.add("ADMINPASS", "Administrator Password", "password"); -f.add("HOSTNAME", "My Hostname"); -f.add("HOSTIP", "My Host's IP"); -f.add("DEFAULTSITE", "Default Site"); -f.submit[0] = "Migrate"; -f.submit[1] = "Cancel"; + var subobj = provision_guess(); + /* Don't supply default password for web interface */ + subobj.ADMINPASS = ""; -if (form['submit'] == "Cancel") { - redirect("/"); -} + f.add("REALM", "DNS Domain Name"); + f.add("DOMAIN", "NetBIOS Domain Name"); + f.add("ADMIN", "Administrator Username"); + f.add("ADMINPASS", "Administrator Password", "password"); + f.add("HOSTNAME", "My Hostname"); + f.add("HOSTIP", "My Host's IP"); + f.add("DEFAULTSITE", "Default Site"); + f.submit[0] = "Migrate"; + f.submit[1] = "Cancel"; -if (form['submit'] == "Migrate") { - for (r in form) { - subobj[r] = form[r]; + if (form['submit'] == "Cancel") { + redirect("/"); } -} - -for (i=0;iWe need the administrator password for the " + subobj.DOMAIN + " domain to proceed. Please try again."); - f.display(); - } else if (!provision_validate(subobj, writefln)) { - f.display(); - } else if (strupper(lp.get("server role")) == "domain controller") { - writefln("You need to set 'server role' to 'member server' before starting the migration process"); - } else { - var creds = credentials_init(); - var samdb; - creds.set_username(form.ADMIN); - creds.set_password(form.ADMINPASS); - creds.set_domain(form.DOMAIN); - creds.set_realm(form.REALM); - - var info = new Object(); - var paths = provision_default_paths(subobj); - var session_info = session.authinfo.session_info; - var credentials = session.authinfo.credentials; - - info.credentials = credentials; - info.session_info = session_info; - info.message = writefln; - info.subobj = subobj; - - /* Setup a basic database structure, but don't setup any users */ - if (!provision(subobj, writefln, true, paths, - session_info, credentials, false)) { - writefln("Provision failed!"); - - /* Join domain */ - } else if (!join_domain(form.DOMAIN, form.HOSTNAME, misc.SEC_CHAN_BDC, creds, writefln)) { - writefln("Domain Join failed!"); + if (form['submit'] == "Migrate") { + for (r in form) { + subobj[r] = form[r]; + } + } + + for (i=0;iWe need the administrator password for the " + subobj.DOMAIN + " domain to proceed. Please try again."); + f.display(); + } else if (!provision_validate(subobj, writefln)) { + f.display(); + } else if (strupper(lp.get("server role")) == "domain controller") { + writefln("You need to set 'server role' to 'member server' before starting the migration process"); + } else { + var creds = credentials_init(); + var samdb; + creds.set_username(form.ADMIN); + creds.set_password(form.ADMINPASS); + creds.set_domain(form.DOMAIN); + creds.set_realm(form.REALM); + + var info = new Object(); + var paths = provision_default_paths(subobj); + var session_info = session.authinfo.session_info; + var credentials = session.authinfo.credentials; + + info.credentials = credentials; + info.session_info = session_info; + info.message = writefln; + info.subobj = subobj; + + /* Setup a basic database structure, but don't setup any users */ + if (!provision(subobj, writefln, true, paths, + session_info, credentials, false)) { + writefln("Provision failed!"); + + /* Join domain */ + } else if (!join_domain(form.DOMAIN, form.HOSTNAME, misc.SEC_CHAN_BDC, creds, writefln)) { + writefln("Domain Join failed!"); - /* Vampire */ - } else if (!vampire(form.DOMAIN, session.authinfo.session_info, + /* Vampire */ + } else if (!vampire(form.DOMAIN, session.authinfo.session_info, session.authinfo.credentials, writefln)) { - writefln("Failed to syncronsise remote domain into local database!"); - } else if (!provision_dns(subobj, writefln, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("DNS Provision failed!"); - } else if (!(samdb = open_ldb(info, paths.samdb, false))) { - writefln("Opening " + paths.samdb + " failed!"); - info.samdb = samdb; - } else if (!setup_name_mappings(info, samdb)) { - writefln("Setup of name mappings failed!"); - } else { - var zonepath = paths.dns; - %> + writefln("Failed to syncronsise remote domain into local database!"); + } else if (!provision_dns(subobj, writefln, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("DNS Provision failed!"); + } else if (!(samdb = open_ldb(info, paths.samdb, false))) { + writefln("Opening " + paths.samdb + " failed!"); + info.samdb = samdb; + } else if (!setup_name_mappings(info, samdb)) { + writefln("Setup of name mappings failed!"); + } else { + var zonepath = paths.dns; + %>

Database migrated!

- You need to do the following to complete the process: -
    -
  • Install the @@zonepath zone file into your bind install, and restart bind -
  • Change your smb.conf to set "server role = domain controller" -
  • Shutdown your existing PDC and any other DCs -
  • Restart smbd +
  • Install the @@zonepath zone file into your bind install, and restart bind +
  • Change your smb.conf to set "server role = domain controller" +
  • Shutdown your existing PDC and any other DCs +
  • Restart smbd
- <% +<% + } } + } else { + f.display(); } } else { - f.display(); + redirect("/"); } + %> diff --git a/webapps/login.esp b/webapps/login.esp index 8d6c049d02..9e9f6f9903 100644 --- a/webapps/login.esp +++ b/webapps/login.esp @@ -39,6 +39,7 @@ f.display(); session.authinfo.domain = auth.domain; session.authinfo.credentials = creds; session.authinfo.session_info = auth.session_info; + session.authinfo.user_class = auth.user_class; /* if the user was asking for the login page, then now redirect them to the main page. Otherwise just -- cgit