r23966: It isn't great, but at least now we have some access control in SWAT

This patch prevents non-root and non-administrator users from running
the provision, upgrade and vampire pages.  *I think* the rest of SWAT
is LDB operations, or otherwise authenticated, so we should now be
secure.

I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha.

Andrew Bartlett

source/dsdb/samdb/samdb_privilege.c

@@ -80,6 +80,11 @@ _PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token)
 	NTSTATUS status;
 
 	/* Shortcuts to prevent recursion and avoid lookups */
+	if (token->user_sid == NULL) {
+		token->privilege_mask = 0;
+		return NT_STATUS_OK;
+	}
+
 	if (security_token_is_system(token)) {
 		token->privilege_mask = ~0;
 		return NT_STATUS_OK;

source/scripting/ejs/smbcalls_auth.c

@@ -27,6 +27,7 @@
 #include "scripting/ejs/smbcalls.h"
 #include "lib/events/events.h"
 #include "lib/messaging/irpc.h"
+#include "libcli/security/security.h"
 
 static int ejs_doauth(MprVarHandle eid,
 		      TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username, 
@@ -39,6 +40,7 @@ static int ejs_doauth(MprVarHandle eid,
 	struct auth_context *auth_context;
 	struct MprVar *session_info_obj;
 	NTSTATUS nt_status;
+	bool set;
 
 	struct smbcalls_context *c;
 	struct event_context *ev;
@@ -111,6 +113,32 @@ static int ejs_doauth(MprVarHandle eid,
 		goto done;
 	}
 
+	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("USER"));
+		set = true;
+	}
+	
+	if (security_token_has_builtin_administrators(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR"));
+		set = true;
+	}
+
+	if (security_token_is_system(session_info->security_token)) {
+		mprSetPropertyValue(auth, "user_class", mprString("SYSTEM"));
+		set = true;
+	}
+
+	if (security_token_is_anonymous(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted"));
+		mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+		goto done;
+	}
+
+	if (!set) {
+		mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
+		mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+	}
+	
 	session_info_obj = mprInitObject(eid, "session_info", 0, NULL);
 
 	mprSetPtrChild(session_info_obj, "session_info", session_info);
@@ -121,6 +149,23 @@ static int ejs_doauth(MprVarHandle eid,
 	mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
 	mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
 
+	if (security_token_is_system(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("SYSTEM"));
+	}
+
+	if (security_token_is_anonymous(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("ANONYMOUS"));
+	}
+
+	if (security_token_has_builtin_administrators(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR"));
+	}
+
+	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+		mprSetPropertyValue(auth, "report", mprString("USER"));
+	}
+
+
 done:
 	return 0;
 }

webapps/install/provision.esp

@@ -12,70 +12,77 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
-if (lp.get("realm") == "") {
-	lp.set("realm", lp.get("workgroup") + ".example.com");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+	 || session.authinfo.user_class == "SYSTEM") {
 
-var subobj = provision_guess();
-/* Don't supply default password for web interface */
-subobj.ADMINPASS = "";
+	if (lp.get("realm") == "") {
+		lp.set("realm", lp.get("workgroup") + ".example.com");
+	}
 
-f.add("REALM", "DNS Domain Name");
-f.add("DOMAIN", "NetBIOS Domain Name");
-f.add("HOSTNAME", "Hostname");
-f.add("ADMINPASS", "Administrator Password", "password");
-f.add("CONFIRM", "Confirm Password", "password");
-f.add("DOMAINSID", "Domain SID");
-f.add("HOSTIP", "Host IP");
-f.add("DEFAULTSITE", "Default Site");
-f.submit[0] = "Provision";
-f.submit[1] = "Cancel";
+	var subobj = provision_guess();
+	/* Don't supply default password for web interface */
+	subobj.ADMINPASS = "";
 
-if (form['submit'] == "Cancel") {
+	f.add("REALM", "DNS Domain Name");
+	f.add("DOMAIN", "NetBIOS Domain Name");
+	f.add("HOSTNAME", "Hostname");
+	f.add("ADMINPASS", "Administrator Password", "password");
+	f.add("CONFIRM", "Confirm Password", "password");
+	f.add("DOMAINSID", "Domain SID");
+	f.add("HOSTIP", "Host IP");
+	f.add("DEFAULTSITE", "Default Site");
+	f.submit[0] = "Provision";
+	f.submit[1] = "Cancel";
+
+	if (form['submit'] == "Cancel") {
+		redirect("/");
+	}
+
+	if (form['submit'] == "Provision") {
+		for (r in form) {
+			subobj[r] = form[r];
+		}
+	}
+
+	for (i=0;i<f.element.length;i++) {
+		f.element[i].value = subobj[f.element[i].name];
+	}
+
+	if (form['submit'] == "Provision") {
+	
+        	/* overcome an initially blank smb.conf */
+		lp.set("realm", subobj.REALM);
+		lp.set("workgroup", subobj.DOMAIN);
+		lp.reload();
+		var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+
+		if (!goodpass) {
+			write("<h3>Passwords don't match.  Please try again.</h3>");
+			f.display();
+		} else if (subobj.ADMINPASS == "") {
+			write("<h3>You must choose an administrator password.  Please try again.</h3>");
+			f.display();
+		} else if (!provision_validate(subobj, writefln)) {
+			f.display();
+		} else {
+			var paths = provision_default_paths(subobj);
+			if (!provision(subobj, writefln, false, paths, 
+				       session.authinfo.session_info, session.authinfo.credentials, false)) {
+				writefln("Provision failed!");
+			} else if (!provision_dns(subobj, writefln, paths,
+						  session.authinfo.session_info, session.authinfo.credentials)) {
+				writefln("DNS Provision failed!");
+			} else {
+				writefln("Provision Complete!");
+			}
+		}
+	} else {
+		f.display();
+	}
+} else {
 	redirect("/");
 }
 
-if (form['submit'] == "Provision") {
-	for (r in form) {
-		subobj[r] = form[r];
-	}
-}
-
-for (i=0;i<f.element.length;i++) {
-	f.element[i].value = subobj[f.element[i].name];
-}
-
-if (form['submit'] == "Provision") {
-
-        /* overcome an initially blank smb.conf */
-	lp.set("realm", subobj.REALM);
-	lp.set("workgroup", subobj.DOMAIN);
-	lp.reload();
-	var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
-
-	if (!goodpass) {
-		write("<h3>Passwords don't match.  Please try again.</h3>");
-		f.display();
-	} else if (subobj.ADMINPASS == "") {
-		write("<h3>You must choose an administrator password.  Please try again.</h3>");
-		f.display();
-	} else if (!provision_validate(subobj, writefln)) {
-		f.display();
-	} else {
-		var paths = provision_default_paths(subobj);
-		if (!provision(subobj, writefln, false, paths, 
-			       session.authinfo.session_info, session.authinfo.credentials, false)) {
-			writefln("Provision failed!");
-		} else if (!provision_dns(subobj, writefln, paths,
-					  session.authinfo.session_info, session.authinfo.credentials)) {
-			writefln("DNS Provision failed!");
-		} else {
-			writefln("Provision Complete!");
-		}
-	}
-} else {
-	f.display();
-}
 %>
 
 

webapps/install/vampire.esp

@@ -14,6 +14,11 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
+if (session.authinfo.user_class != "ADMINISTRATOR"
+	 && session.authinfo.user_class != "SYSTEM") {
+	redirect("/");
+}
+
 if (lp.get("realm") == "") {
 	lp.set("realm", lp.get("workgroup") + ".example.com");
 }