S 5.151 Secure configuration of the Samba Web Administration Tool
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
The Samba Web Administration Tool (SWAT) is a web-based configuration program that has been an integral component of Samba since version 2.0. Depending on the distribution, SWAT is installed together with the Samba server packages or is offered as an optional package. SWAT is started via an internet daemon (for example inetd or xinetd) and cannot be run as a separate daemon.
When using SWAT, it should be taken into consideration that SWAT completely rewrites the file smb.conf when changes are made. When rewriting the file, all comment lines, as well as all parameters whose values are the same as the default values are deleted. Even the "include" and "copy" parameters are removed. SWAT cannot be used if one of these parameters is actually needed. Parameter values in quotation marks in the smb.conf file are deleted by SWAT starting with the first quotation mark (").
Deactivating or restricting access to SWAT
If SWAT is not used for the administration and configuration of the Samba server, it is recommended to uninstall SWAT. If this is impossible, the use of an internet daemon to start SWAT should be disabled. In the case of xinetd, the start of the SWAT service is usually controlled by the file /etc/xinet.d/swat or /etc/xinet.d/samba. The parameter setting "disable = yes" prevents the internet daemon from starting SWAT when a request is received.
If SWAT is only used for the administration and configuration of a local Samba server, the accessibility of SWAT should be limited to requests from the local computer. For the internet daemon xinetd, this can be guaranteed by setting the "only_from = localhost" parameter in the corresponding configuration file (generally /etc/xinetd.conf).
If SWAT is used from remote computers for the administration and configuration of the Samba server, consideration should be given to restricting access accordingly. Access to SWAT should only be allowed for computers that really need it. If the internet daemon xinetd is used, this can be achieved using the "only_from" parameter in the corresponding configuration file (for example "only_from = 128.138.193.0128.138.204.0").
Secure transmission of login data
SWAT may only be used for the administration of the Samba server via trusted networks. Since SWAT does not support the Hypertext Transfer Protocol Secure (HTTPS) protocol, all information is transmitted in plain text. If the protection requirements are high, it is recommended to avoid using SWAT or to encrypt its communication. Encryption could be achieved using a Virtual Private Network (VPN) or a cryptographic tunnel.
The following illustrates how communication through a cryptographic tunnel can be realised with the help of the "stunnel" program (version 4).
First, openssl must be used to generate a certificate for stunnel. The command used to do this is as follows:
root# /usr/bin/openssl req -new -x509 -days 365 -nodes \
config /usr/share/doc/packages/stunnel/stunnel.cnf \
out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
It is possible that stunnel expects to find the certificate and the key at a different location. Whether or not this is true can be determined using the command "stunnel ¿version". The stunnel configuration or the openssl command provided above may need to be adapted accordingly. Afterwards the command chmod 600 /etc/stunnel/stunnel.pem must be executed to ensure that the private key and certificate are adequately protected against unauthorised access. Otherwise stunnel will not start.
After that, the configuration file /etc/stunnel/swat.conf must be created:
exec = /usr/sbin/swat
execargs = swat
xinetd Konfigurationsdatei muss folgendermaßen angepasst werden: server swat
{
socket_type = stream
wait = no
user = root
port = 901
server = /usr/sbin/stunnnel
server_args = /etc/stunnnel/swat.conf
disable = no
}
After xinetd has read in the new configuration, SWAT can be accessed via the URL https://<IP or DNS name of the Samba server:901>.
Authentication and authorisation scheme of SWAT
SWAT uses a very simple authentication and authorisation scheme. Authentication is performed using the local mechanisms of the server on which SWAT is running. SWAT accepts every user who is able to authenticate successfully on the server. Every user who has read privileges in the file system for the configuration file smb.conf of the Samba server can then display the configuration. Users who also have write privileges for the configuration file smb.conf can make changes to the configuration.
All other operations such as restarting the Samba server or terminating connections to the Samba server can only be performed by the user with the user identification (UID) number 0. This is normally the user named "root".
Review questions:
- Are the administrators aware that SWAT completely rewrites the file smb.conf when changes are made?
- Was SWAT uninstalled or disabled if SWAT is not used for administrating and configuring Samba?
- Is the accessibility of SWAT limited to requests from the local computer if SWAT is only used for the administration and configuration of a local Samba server?
- Is the accessibility of SWAT limited to requests from trustworthy computers if SWAT is used from remote computers for administration and configuration?
- Is SWAT only used via trusted networks and/or is communication encrypted?
- Is SWAT used via a secure HTTPS connection?