mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
127 lines
4.3 KiB
Plaintext
127 lines
4.3 KiB
Plaintext
This is a brief description of how to install and use the Samba Web
|
|
Administration Tool on your machine.
|
|
|
|
Please note that SWAT is still being developed so you should not
|
|
expect it to be bug free. You should only install and use it if you
|
|
want to either get a preview of what we are doing with SWAT or you
|
|
want to help in the development of SWAT.
|
|
|
|
Installation
|
|
------------
|
|
|
|
After you compile SWAT you need to run "make install" to install the
|
|
swat binary and the various help files and images. A default install
|
|
would put these in:
|
|
|
|
/usr/local/samba/bin/swat
|
|
/usr/local/samba/swat/images/*
|
|
/usr/local/samba/swat/help/*
|
|
|
|
Running via inetd
|
|
-----------------
|
|
|
|
You then need to edit your /etc/inetd.conf and /etc/services to enable
|
|
SWAT to be launched via inetd. Note that SWAT can also be launched via
|
|
the cgi-bin mechanisms of a web server (such as apache) and that is
|
|
described below.
|
|
|
|
In /etc/services you need to add a line like this:
|
|
|
|
swat 901/tcp
|
|
|
|
the choice of port number isn't really important except that it should
|
|
be less than 1024 and not currently used (using a number above 1024
|
|
presents an obscure security hole depending on the implementation
|
|
details of your inetd daemon).
|
|
|
|
In /etc/inetd.conf you should add a line like this:
|
|
|
|
swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat
|
|
|
|
If you just want to see a demo of how swat works and don't want to be
|
|
able to actually change any Samba config via swat then you may chose
|
|
to change "root" to some other user that does not have permission to
|
|
write to smb.conf.
|
|
|
|
One you have edited /etc/services and /etc/inetd.conf you need to send
|
|
a HUP signal to inetd. On many systems "killall -1 inetd" will do this
|
|
on others you will need to use "kill -1 PID" where PID is the process
|
|
ID of the inetd daemon.
|
|
|
|
|
|
Running via cgi-bin
|
|
-------------------
|
|
|
|
To run SWAT via your web servers cgi-bin capability you need to copy
|
|
the swat binary to your cgi-bin directory. Note that you should run
|
|
SWAT either via inetd or via cgi-bin but not both.
|
|
|
|
Then you need to create a swat directory in your web servers root
|
|
directory and copy the images/* and help/* files into there so that
|
|
they are visible via the URL http://your.web.server/swat/
|
|
|
|
Next you need to make sure you modify your web servers authentication
|
|
to require a username/pssword for the URL
|
|
http://your.web.server/cgi-bin/swat. Don't forgt this step! If you do
|
|
forget it then you will be allowing anyone to edit your Samba
|
|
configuration which would allow them to easily gain root access on your
|
|
machine.
|
|
|
|
After testing the authentication you need to change the ownership and
|
|
permissions on the swat binary. It should be owned by root wth the
|
|
setuid bit set. It should be ONLY executable by the user that the web
|
|
server runs as. Make sure you do this carefully!
|
|
|
|
for example, the following would be correct if the web server ran as
|
|
group "nobody".
|
|
|
|
-rws--x--- 1 root nobody
|
|
|
|
You must also realise that this means that any user who can run
|
|
programs as the "nobody" group can run swat and modify your Samba
|
|
config. Be sure to think about this!
|
|
|
|
|
|
Launching
|
|
---------
|
|
|
|
To launch SWAT just run your favourite web browser and point it at
|
|
http://localhost:901/ or http://localhost/cgi-bin/swat/ depending on
|
|
how you installed it.
|
|
|
|
Note that you can attach to SWAT from any IP connected machine but
|
|
connecting from a remote machine leaves your connection open to
|
|
password sniffing as passwords will be sent in the clear over the
|
|
wire.
|
|
|
|
If installed via inetd then you should be prompted for a
|
|
username/password when you connect. You will need to provide the
|
|
username "root" and the correct root password. More sophisticated
|
|
authentication options are planned for future versions of SWAT.
|
|
|
|
If installed via cgi-bin then you should receive whatever
|
|
authentication request you configured in your web server.
|
|
|
|
Running
|
|
-------
|
|
|
|
Just follow your nose! If you can't work out how to use it then maybe
|
|
you should use "vi smb.conf" instead.
|
|
|
|
|
|
WARNINGS
|
|
--------
|
|
|
|
SWAT will rewrite your smb.conf file. It will rearrange the entries
|
|
and delete all comments, include= and copy= options. If you have a
|
|
carefully crafted smb.conf then back it up or don't use SWAT!
|
|
|
|
|
|
Development
|
|
-----------
|
|
|
|
Please join the samba-technical mailing list if you want to discuss
|
|
the development of SWAT. Note that this list is for technical developer
|
|
discussions and is not a general help list.
|
|
|