summaryrefslogtreecommitdiffstats
path: root/swat/README
blob: 2810e4e086a80bab92ad6ca88fd651a9abc3d9ac (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
This is a brief description of how to install and use the Samba Web
Administration Tool on your machine.

Please note that SWAT is still being developed so you should not
expect it to be bug free. You should only install and use it if you
want to either get a preview of what we are doing with SWAT or you
want to help in the development of SWAT.

Installation
------------

After you compile SWAT you need to run "make install" to install the
swat binary and the various help files and images. A default install
would put these in:

/usr/local/samba/bin/swat
/usr/local/samba/swat/images/*
/usr/local/samba/swat/help/*

Running via inetd
-----------------

You then need to edit your /etc/inetd.conf and /etc/services to enable
SWAT to be launched via inetd. Note that SWAT can also be launched via
the cgi-bin mechanisms of a web server (such as apache) and that is
described below.

In /etc/services you need to add a line like this:

swat            901/tcp

the choice of port number isn't really important except that it should
be less than 1024 and not currently used (using a number above 1024
presents an obscure security hole depending on the implementation
details of your inetd daemon).

In /etc/inetd.conf you should add a line like this:

swat    stream  tcp     nowait.400  root    /usr/local/samba/bin/swat swat

If you just want to see a demo of how swat works and don't want to be
able to actually change any Samba config via swat then you may chose
to change "root" to some other user that does not have permission to
write to smb.conf.

One you have edited /etc/services and /etc/inetd.conf you need to send
a HUP signal to inetd. On many systems "killall -1 inetd" will do this
on others you will need to use "kill -1 PID" where PID is the process
ID of the inetd daemon.


Running via cgi-bin
-------------------

To run SWAT via your web servers cgi-bin capability you need to copy
the swat binary to your cgi-bin directory. Note that you should run
SWAT either via inetd or via cgi-bin but not both.

Then you need to create a swat directory in your web servers root
directory and copy the images/* and help/* files into there so that
they are visible via the URL http://your.web.server/swat/

Next you need to make sure you modify your web servers authentication
to require a username/pssword for the URL
http://your.web.server/cgi-bin/swat. Don't forgt this step! If you do
forget it then you will be allowing anyone to edit your Samba
configuration which would allow them to easily gain root access on your
machine.

After testing the authentication you need to change the ownership and
permissions on the swat binary. It should be owned by root wth the
setuid bit set. It should be ONLY executable by the user that the web
server runs as. Make sure you do this carefully!

for example, the following would be correct if the web server ran as
group "nobody".

-rws--x---    1 root     nobody    

You must also realise that this means that any user who can run
programs as the "nobody" group can run swat and modify your Samba
config. Be sure to think about this!


Launching
---------

To launch SWAT just run your favourite web browser and point it at
http://localhost:901/ or http://localhost/cgi-bin/swat/ depending on
how you installed it.

Note that you can attach to SWAT from any IP connected machine but
connecting from a remote machine leaves your connection open to
password sniffing as passwords will be sent in the clear over the
wire.

If installed via inetd then you should be prompted for a
username/password when you connect. You will need to provide the
username "root" and the correct root password. More sophisticated
authentication options are planned for future versions of SWAT.

If installed via cgi-bin then you should receive whatever
authentication request you configured in your web server.

Running
-------

Just follow your nose! If you can't work out how to use it then maybe
you should use "vi smb.conf" instead.


WARNINGS
--------

SWAT will rewrite your smb.conf file. It will rearrange the entries
and delete all comments, include= and copy= options. If you have a
carefully crafted smb.conf then back it up or don't use SWAT!


Development
-----------

Please join the samba-technical mailing list if you want to discuss
the development of SWAT. Note that this list is for technical developer
discussions and is not a general help list.