[RFC] Discontinuing SWAT

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[RFC] Discontinuing SWAT

Kai Blin-4
Hi folks,

I think it's time to put SWAT out of its misery. In the past few years,
the only commits ever touching it were either API housekeeping or fixing
remote root exploit security issues.

The last time we had to do the latter, I accidentally broke password
changes for users, and neither me nor any of the people reviewing the
changes noticed. I take that as a sign that nobody is really interested
in maintaining SWAT, and I think it is becoming a larger liability over
time. Considering how large of an attack surface a web app is offering,
we should not have one of them in our core release.

There might be the need for a web-based samba configuration tool, but I
don't think SWAT is fulfilling that need well enough.

Cheers,
Kai

--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/


signature.asc (269 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Andrew Bartlett
On Thu, 2013-04-25 at 23:48 +0200, Kai Blin wrote:

> Hi folks,
>
> I think it's time to put SWAT out of its misery. In the past few years,
> the only commits ever touching it were either API housekeeping or fixing
> remote root exploit security issues.
>
> The last time we had to do the latter, I accidentally broke password
> changes for users, and neither me nor any of the people reviewing the
> changes noticed. I take that as a sign that nobody is really interested
> in maintaining SWAT, and I think it is becoming a larger liability over
> time. Considering how large of an attack surface a web app is offering,
> we should not have one of them in our core release.
>
> There might be the need for a web-based samba configuration tool, but I
> don't think SWAT is fulfilling that need well enough.

The main thing I've see folks really want from SWAT is the connection
between the smb.conf parameter and the help section.  We may well be
able to solve that simply with a testparm option that prints the manpage
section after each parameter.

I'll also note that this is the second time removing it has been
proposed (I did so in Feb), and there were no violent objections last
time, just the above desire that SWAT's sections and manpage link made
the smb.conf more accessible.  Perhaps make 'SWAT GTK rewrite' a SoC
project and see if we get any takers?

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

C.J. Adams-Collier KF7BMP
On Fri, 2013-04-26 at 08:33 +1000, Andrew Bartlett wrote:

> On Thu, 2013-04-25 at 23:48 +0200, Kai Blin wrote:
> > Hi folks,
> >
> > I think it's time to put SWAT out of its misery. In the past few years,
> > the only commits ever touching it were either API housekeeping or fixing
> > remote root exploit security issues.
> >
> > The last time we had to do the latter, I accidentally broke password
> > changes for users, and neither me nor any of the people reviewing the
> > changes noticed. I take that as a sign that nobody is really interested
> > in maintaining SWAT, and I think it is becoming a larger liability over
> > time. Considering how large of an attack surface a web app is offering,
> > we should not have one of them in our core release.
> >
> > There might be the need for a web-based samba configuration tool, but I
> > don't think SWAT is fulfilling that need well enough.
>
> The main thing I've see folks really want from SWAT is the connection
> between the smb.conf parameter and the help section.  We may well be
> able to solve that simply with a testparm option that prints the manpage
> section after each parameter.
>
> I'll also note that this is the second time removing it has been
> proposed (I did so in Feb), and there were no violent objections last
> time, just the above desire that SWAT's sections and manpage link made
> the smb.conf more accessible.  Perhaps make 'SWAT GTK rewrite' a SoC
> project and see if we get any takers?
>
> Andrew Bartlett
>
For what it's worth, my opinion as a user of samba for about 15 years is
that SWAT has not been very helpful for me for many years.  I do
remember depending on it for the first few months and years that I used
samba to set up my smb.conf file, and I might not have been able to get
a working environment without the web interface at that phase in my
professional development.  As much as I like the idea of throwing out
code that gets more CVEs than it does commits, it would be best to
ensure that there is an interface for our less skilled users available
during a deprecation phase that we can recommend loudly instead.

C.J.


signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Scott Lovenberg
On Thu, Apr 25, 2013 at 7:14 PM, C.J. Adams-Collier KF7BMP
<[hidden email]> wrote:

> On Fri, 2013-04-26 at 08:33 +1000, Andrew Bartlett wrote:
>> On Thu, 2013-04-25 at 23:48 +0200, Kai Blin wrote:
>> > Hi folks,
>> >
>> > I think it's time to put SWAT out of its misery. In the past few years,
>> > the only commits ever touching it were either API housekeeping or fixing
>> > remote root exploit security issues.
>> >
>> > The last time we had to do the latter, I accidentally broke password
>> > changes for users, and neither me nor any of the people reviewing the
>> > changes noticed. I take that as a sign that nobody is really interested
>> > in maintaining SWAT, and I think it is becoming a larger liability over
>> > time. Considering how large of an attack surface a web app is offering,
>> > we should not have one of them in our core release.
>> >
>> > There might be the need for a web-based samba configuration tool, but I
>> > don't think SWAT is fulfilling that need well enough.
>>
>> The main thing I've see folks really want from SWAT is the connection
>> between the smb.conf parameter and the help section.  We may well be
>> able to solve that simply with a testparm option that prints the manpage
>> section after each parameter.
>>
>> I'll also note that this is the second time removing it has been
>> proposed (I did so in Feb), and there were no violent objections last
>> time, just the above desire that SWAT's sections and manpage link made
>> the smb.conf more accessible.  Perhaps make 'SWAT GTK rewrite' a SoC
>> project and see if we get any takers?
>>
>> Andrew Bartlett
>>
>
> For what it's worth, my opinion as a user of samba for about 15 years is
> that SWAT has not been very helpful for me for many years.  I do
> remember depending on it for the first few months and years that I used
> samba to set up my smb.conf file, and I might not have been able to get
> a working environment without the web interface at that phase in my
> professional development.  As much as I like the idea of throwing out
> code that gets more CVEs than it does commits, it would be best to
> ensure that there is an interface for our less skilled users available
> during a deprecation phase that we can recommend loudly instead.
>
> C.J.
>

How about the obvious compromise?  What if SWAT were dropped and a
library (in a "web language") for parsing the smb.conf was to be
released with each release under the GPL?  If someone (third party)
wants to carry the torch for a web interface, let them.  Someone out
there wants this itch scratched and Samba wants someone to contribute
some code back.  Seems like a win-win to me; Samba can be released
without such a large attack surface, and developers can scratch an
itch and contribute code back.

There's already a parser written, how hard would it be to add bindings
for other languages (PHP, Python, Java)?

I'm sure if I dug around in my svn server I've got a parser or three
written in Java from college or so.

--
Peace and Blessings,
-Scott.
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Jelmer Vernooij
In reply to this post by Andrew Bartlett
On Fri, Apr 26, 2013 at 08:33:47AM +1000, Andrew Bartlett wrote:

> On Thu, 2013-04-25 at 23:48 +0200, Kai Blin wrote:
> > Hi folks,
> >
> > I think it's time to put SWAT out of its misery. In the past few years,
> > the only commits ever touching it were either API housekeeping or fixing
> > remote root exploit security issues.
> >
> > The last time we had to do the latter, I accidentally broke password
> > changes for users, and neither me nor any of the people reviewing the
> > changes noticed. I take that as a sign that nobody is really interested
> > in maintaining SWAT, and I think it is becoming a larger liability over
> > time. Considering how large of an attack surface a web app is offering,
> > we should not have one of them in our core release.
> >
> > There might be the need for a web-based samba configuration tool, but I
> > don't think SWAT is fulfilling that need well enough.
>
> The main thing I've see folks really want from SWAT is the connection
> between the smb.conf parameter and the help section.  We may well be
> able to solve that simply with a testparm option that prints the manpage
> section after each parameter.
>
> I'll also note that this is the second time removing it has been
> proposed (I did so in Feb), and there were no violent objections last
> time, just the above desire that SWAT's sections and manpage link made
> the smb.conf more accessible.  Perhaps make 'SWAT GTK rewrite' a SoC
> project and see if we get any takers?
What is "SWAT GTK" ?

Cheers,

Jelmer
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Jelmer Vernooij
In reply to this post by Kai Blin-4
On Thu, Apr 25, 2013 at 11:48:51PM +0200, Kai Blin wrote:

> I think it's time to put SWAT out of its misery. In the past few years,
> the only commits ever touching it were either API housekeeping or fixing
> remote root exploit security issues.
>
> The last time we had to do the latter, I accidentally broke password
> changes for users, and neither me nor any of the people reviewing the
> changes noticed. I take that as a sign that nobody is really interested
> in maintaining SWAT, and I think it is becoming a larger liability over
> time. Considering how large of an attack surface a web app is offering,
> we should not have one of them in our core release.
>
> There might be the need for a web-based samba configuration tool, but I
> don't think SWAT is fulfilling that need well enough.
+1

Despite the concern that's been expressed about the status of SWAT a couple of
times over the last couple of years, nothing has really happened. It's
better to remove it than to let it simmer in its current unusable state.

If we want to have a web interface, then I suspect it would be easier to build
something new from the grounds up than to update the current SWAT anyway.

Cheers,

Jelmer
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Andrew Bartlett
In reply to this post by Jelmer Vernooij
On Fri, 2013-04-26 at 08:00 +0200, Jelmer Vernooij wrote:

> On Fri, Apr 26, 2013 at 08:33:47AM +1000, Andrew Bartlett wrote:
> > On Thu, 2013-04-25 at 23:48 +0200, Kai Blin wrote:
> > > Hi folks,
> > >
> > > I think it's time to put SWAT out of its misery. In the past few years,
> > > the only commits ever touching it were either API housekeeping or fixing
> > > remote root exploit security issues.
> > >
> > > The last time we had to do the latter, I accidentally broke password
> > > changes for users, and neither me nor any of the people reviewing the
> > > changes noticed. I take that as a sign that nobody is really interested
> > > in maintaining SWAT, and I think it is becoming a larger liability over
> > > time. Considering how large of an attack surface a web app is offering,
> > > we should not have one of them in our core release.
> > >
> > > There might be the need for a web-based samba configuration tool, but I
> > > don't think SWAT is fulfilling that need well enough.
> >
> > The main thing I've see folks really want from SWAT is the connection
> > between the smb.conf parameter and the help section.  We may well be
> > able to solve that simply with a testparm option that prints the manpage
> > section after each parameter.
> >
> > I'll also note that this is the second time removing it has been
> > proposed (I did so in Feb), and there were no violent objections last
> > time, just the above desire that SWAT's sections and manpage link made
> > the smb.conf more accessible.  Perhaps make 'SWAT GTK rewrite' a SoC
> > project and see if we get any takers?
> What is "SWAT GTK" ?

I was thinking have SWAT expressed as a GTK app, rather than a web app
where we have to play web security games and do authentication.  It was
just a thought bubble that someone could just have it write GTK forms
rather than HTML forms, or render the current code into some simple
client-side HTML renderer but never involve a real HTTP server.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Andrew Bartlett
In reply to this post by Jelmer Vernooij
On Fri, 2013-04-26 at 08:04 +0200, Jelmer Vernooij wrote:

> On Thu, Apr 25, 2013 at 11:48:51PM +0200, Kai Blin wrote:
> > I think it's time to put SWAT out of its misery. In the past few years,
> > the only commits ever touching it were either API housekeeping or fixing
> > remote root exploit security issues.
> >
> > The last time we had to do the latter, I accidentally broke password
> > changes for users, and neither me nor any of the people reviewing the
> > changes noticed. I take that as a sign that nobody is really interested
> > in maintaining SWAT, and I think it is becoming a larger liability over
> > time. Considering how large of an attack surface a web app is offering,
> > we should not have one of them in our core release.
> >
> > There might be the need for a web-based samba configuration tool, but I
> > don't think SWAT is fulfilling that need well enough.
> +1
>
> Despite the concern that's been expressed about the status of SWAT a couple of
> times over the last couple of years, nothing has really happened. It's
> better to remove it than to let it simmer in its current unusable state.
>
> If we want to have a web interface, then I suspect it would be easier to build
> something new from the grounds up than to update the current SWAT anyway.

Exactly.  I did the same as Kai, and wanted to be all consultative about
this, but thinking over this again, we need to just notify:  There is no
active maintainer of the the SWAT code, and regular security issues as
folks put the blowtorch of modern web security to 15 or more year old
web code.  Therefore, we have no option but to drop it.

Dropping it will also simplify the authentication code, which tried to
serve the dual interests of both SWAT and SMB authentication.

The reason this needs to be 'notification' not 'consultation' is that I
don't see that even if there was a great cry that 'we need SWAT', that
we have any different, practical options anyway.  We have tried hobbling
on, and it has just caused more trouble.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Kai Blin-4
In reply to this post by Scott Lovenberg
On 2013-04-26 04:34, Scott Lovenberg wrote:
> On Thu, Apr 25, 2013 at 7:14 PM, C.J. Adams-Collier KF7BMP
> <[hidden email]> wrote:
...

>> For what it's worth, my opinion as a user of samba for about 15 years is
>> that SWAT has not been very helpful for me for many years.  I do
>> remember depending on it for the first few months and years that I used
>> samba to set up my smb.conf file, and I might not have been able to get
>> a working environment without the web interface at that phase in my
>> professional development.  As much as I like the idea of throwing out
>> code that gets more CVEs than it does commits, it would be best to
>> ensure that there is an interface for our less skilled users available
>> during a deprecation phase that we can recommend loudly instead.
>>
>> C.J.
>>
>
> How about the obvious compromise?  What if SWAT were dropped and a
> library (in a "web language") for parsing the smb.conf was to be
> released with each release under the GPL?  If someone (third party)
> wants to carry the torch for a web interface, let them.  Someone out
> there wants this itch scratched and Samba wants someone to contribute
> some code back.  Seems like a win-win to me; Samba can be released
> without such a large attack surface, and developers can scratch an
> itch and contribute code back.
>
> There's already a parser written, how hard would it be to add bindings
> for other languages (PHP, Python, Java)?

Arguably to make something really useful, you'd need something that can
talk to AD as well. Fiddling with smb.conf is only good for the plain
file server.

In any case, if someone wants to step up and maintain a web interface,
I'm sure we'd be happy to help.

Cheers,
Kai


--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

denis bonnenfant
Le 26/04/2013 15:11, Kai Blin a écrit :

> On 2013-04-26 04:34, Scott Lovenberg wrote:
>> How about the obvious compromise?  What if SWAT were dropped and a
>> library (in a "web language") for parsing the smb.conf was to be
>> released with each release under the GPL?  If someone (third party)
>> wants to carry the torch for a web interface, let them.  Someone out
>> there wants this itch scratched and Samba wants someone to contribute
>> some code back.  Seems like a win-win to me; Samba can be released
>> without such a large attack surface, and developers can scratch an
>> itch and contribute code back.
>>
>> There's already a parser written, how hard would it be to add bindings
>> for other languages (PHP, Python, Java)?
>
> Arguably to make something really useful, you'd need something that
> can talk to AD as well. Fiddling with smb.conf is only good for the
> plain file server.
>
Sure, a php binding to  samba-tool libs (AD and GPO) would be very
helpful. In the other side,  python libs are already there, so it may be
an interesting alternative to use a python web framework ( Django...)
> In any case, if someone wants to step up and maintain a web interface,
> I'm sure we'd be happy to help.
>
As an example, we are investigating on switching SambaEdu project
(http://wwdeb.crdp.ac-caen.fr/mediase3/index.php/Accueil) from
samba3/ldap to samba4. The quick and hacky way is to keep on using php's
ldap and hack some exec(samba-tool...), but in a long term view a clean
web API should be much more efficient for this kind of projects.

Cheers,

Denis

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Michael Adam-3
In reply to this post by Andrew Bartlett
On 2013-04-26 at 16:38 +1000, Andrew Bartlett wrote:

> On Fri, 2013-04-26 at 08:04 +0200, Jelmer Vernooij wrote:
> > On Thu, Apr 25, 2013 at 11:48:51PM +0200, Kai Blin wrote:
> > > I think it's time to put SWAT out of its misery. In the past few years,
> > > the only commits ever touching it were either API housekeeping or fixing
> > > remote root exploit security issues.
> > >
> > > The last time we had to do the latter, I accidentally broke password
> > > changes for users, and neither me nor any of the people reviewing the
> > > changes noticed. I take that as a sign that nobody is really interested
> > > in maintaining SWAT, and I think it is becoming a larger liability over
> > > time. Considering how large of an attack surface a web app is offering,
> > > we should not have one of them in our core release.
> > >
> > > There might be the need for a web-based samba configuration tool, but I
> > > don't think SWAT is fulfilling that need well enough.
> > +1
> >
> > Despite the concern that's been expressed about the status of SWAT a couple of
> > times over the last couple of years, nothing has really happened. It's
> > better to remove it than to let it simmer in its current unusable state.
> >
> > If we want to have a web interface, then I suspect it would be easier to build
> > something new from the grounds up than to update the current SWAT anyway.
>
> Exactly.  I did the same as Kai, and wanted to be all consultative about
> this, but thinking over this again, we need to just notify:  There is no
> active maintainer of the the SWAT code, and regular security issues as
> folks put the blowtorch of modern web security to 15 or more year old
> web code.  Therefore, we have no option but to drop it.
+1

I am strongly in favour of dropping SWAT.
I don't need to add any arguments. :-)

Cheers - Michael


signature.asc (214 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

Jelmer Vernooij
In reply to this post by Kai Blin-4
On Fri, Apr 26, 2013 at 03:11:16PM +0200, Kai Blin wrote:

> On 2013-04-26 04:34, Scott Lovenberg wrote:
> >On Thu, Apr 25, 2013 at 7:14 PM, C.J. Adams-Collier KF7BMP
> ><[hidden email]> wrote:
> ...
>
> >>For what it's worth, my opinion as a user of samba for about 15 years is
> >>that SWAT has not been very helpful for me for many years.  I do
> >>remember depending on it for the first few months and years that I used
> >>samba to set up my smb.conf file, and I might not have been able to get
> >>a working environment without the web interface at that phase in my
> >>professional development.  As much as I like the idea of throwing out
> >>code that gets more CVEs than it does commits, it would be best to
> >>ensure that there is an interface for our less skilled users available
> >>during a deprecation phase that we can recommend loudly instead.
> >>
> >>C.J.
> >>
> >
> >How about the obvious compromise?  What if SWAT were dropped and a
> >library (in a "web language") for parsing the smb.conf was to be
> >released with each release under the GPL?  If someone (third party)
> >wants to carry the torch for a web interface, let them.  Someone out
> >there wants this itch scratched and Samba wants someone to contribute
> >some code back.  Seems like a win-win to me; Samba can be released
> >without such a large attack surface, and developers can scratch an
> >itch and contribute code back.
> >
> >There's already a parser written, how hard would it be to add bindings
> >for other languages (PHP, Python, Java)?
>
> Arguably to make something really useful, you'd need something that
> can talk to AD as well. Fiddling with smb.conf is only good for the
> plain file server.
>
> In any case, if someone wants to step up and maintain a web
> interface, I'm sure we'd be happy to help.
Note that there also "SWAT2", which was written by a SoC student
in Python and pyramid on top of the Samba Python bindings.

It seems to be fairly hard to set up, but it might be a good starting
point for somebody who wants to reboot SWAT.

Cheers,

Jelmer
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Discontinuing SWAT

dhananjay sathe
In reply to this post by Michael Adam-3
+1

As for some suggestions parsing smb.conf makes little sense, the rpc python
bindings are there , a load of stuff has been exposed in samba-gtk and
SWAT2 ( perhaps build on this and have a common sort of api going for
managing tasks , gtk3 and *your web framework here* could use this common
base (easier to debug and maintain)) and it could be good to go. The
bindings should be the key focus, there are about a *handful* of
additions/bugs that could be fixed and you would have most of the basic
functionality (I would estimate 50-60 % of usecases) required by the
average user exposed .

Cheers !

Final Yr Undergraduate , BITS Pilani, Goa.
Research Assistant , RoboEarth Project
Institute for Dynamic Systems and Control,
ETH Zürich, Switzerland.
[hidden email] |  [hidden email] |
[hidden email]| +41 76-710-2202


On Fri, Apr 26, 2013 at 5:27 PM, Michael Adam <[hidden email]> wrote:

> On 2013-04-26 at 16:38 +1000, Andrew Bartlett wrote:
> > On Fri, 2013-04-26 at 08:04 +0200, Jelmer Vernooij wrote:
> > > On Thu, Apr 25, 2013 at 11:48:51PM +0200, Kai Blin wrote:
> > > > I think it's time to put SWAT out of its misery. In the past few
> years,
> > > > the only commits ever touching it were either API housekeeping or
> fixing
> > > > remote root exploit security issues.
> > > >
> > > > The last time we had to do the latter, I accidentally broke password
> > > > changes for users, and neither me nor any of the people reviewing the
> > > > changes noticed. I take that as a sign that nobody is really
> interested
> > > > in maintaining SWAT, and I think it is becoming a larger liability
> over
> > > > time. Considering how large of an attack surface a web app is
> offering,
> > > > we should not have one of them in our core release.
> > > >
> > > > There might be the need for a web-based samba configuration tool,
> but I
> > > > don't think SWAT is fulfilling that need well enough.
> > > +1
> > >
> > > Despite the concern that's been expressed about the status of SWAT a
> couple of
> > > times over the last couple of years, nothing has really happened. It's
> > > better to remove it than to let it simmer in its current unusable
> state.
> > >
> > > If we want to have a web interface, then I suspect it would be easier
> to build
> > > something new from the grounds up than to update the current SWAT
> anyway.
> >
> > Exactly.  I did the same as Kai, and wanted to be all consultative about
> > this, but thinking over this again, we need to just notify:  There is no
> > active maintainer of the the SWAT code, and regular security issues as
> > folks put the blowtorch of modern web security to 15 or more year old
> > web code.  Therefore, we have no option but to drop it.
>
> +1
>
> I am strongly in favour of dropping SWAT.
> I don't need to add any arguments. :-)
>
> Cheers - Michael
>
>