Debian Bug report logs - #700729
swat: Password management has stopped working

version graph

Package: swat; Maintainer for swat is Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>; Source for swat is src:samba.

Reported by: Roger Lynn <Roger@rilynn.me.uk>

Date: Sat, 16 Feb 2013 18:27:02 UTC

Severity: important

Found in version samba/2:3.6.6-5

Fixed in version 2:4.0.6+dfsg-1

Done: Ivo De Decker <ivo.dedecker@ugent.be>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.samba.org/show_bug.cgi?id=9668

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#700729; Package swat. (Sat, 16 Feb 2013 18:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Lynn <Roger@rilynn.me.uk>:
New Bug report received and forwarded. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Sat, 16 Feb 2013 18:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Roger Lynn <Roger@rilynn.me.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: swat: Password management has stopped working
Date: Sat, 16 Feb 2013 18:24:55 +0000
Package: swat
Version: 2:3.6.6-5
Severity: important

Hi,

At some point in the last month server password management using Swat has
stopped working. Swat can be logged into and the old and new server passwords
entered, but choosing "Change Password" appears to just reload the page
without changing anything. Entering the wrong old password or mismatching
new passwords does the same thing.

The only relevant logging I can find is in /var/log/samba/log. which has
recently started getting lots of lines like this when Swat is used:

[2013/02/16 15:02:30.297508,  0] passdb/secrets.c:76(secrets_init)
  Failed to open /var/lib/samba/secrets.tdb

# ls -l /var/lib/samba/secrets.tdb 
-rw------- 1 root root 430080 Aug 24 23:30 /var/lib/samba/secrets.tdb

24 August is the date I first installed Samba.

Swat is running through stunnel, which has always occasionally logged SSL
errors, but there don't appear to have been any recent changes to stunnel or
its dependancies.

While I don't know the Samba code, it looks at least possible to me that the
problem was introduced by the patch for CVE-2013-0214.

My smb.conf file looks like this:

[global]
        workgroup = FUNDAMENTALS
        server string = %h server
        interfaces = 127.0.0.0/8, bond0
        bind interfaces only = Yes
        obey pam restrictions = Yes
        pam password change = Yes
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        load printers = No
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        invalid users = root
[Service]
        comment = Service files
        path = /srv/smb/service
        read only = No
        create mask = 0775
        force create mode = 0664
        directory mask = 0770
        force directory mode = 0770
        oplocks = No
        level2 oplocks = No

There are several other similar share definitions.

Apart from the security update, the only other recent changes I can think of
are adding the "level2 oplocks = No" parameter, but I can't imagine that
affecting Swat, and I briefly tried "max protocol = SMB2" but reverted that
when it appeared to negatively impact reliability in Windows.

As my only use of Swat is to allow users to change their passwords, this has
had a major affect on the usability of the package.

Thank you for your assistance,

Roger

-- System Information:
Debian Release: 7.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages swat depends on:
ii  dpkg                              1.16.9
ii  libc6                             2.13-37
ii  libcap2                           1:2.22-1.2
ii  libcomerr2                        1.42.5-1
ii  libcups2                          1.5.3-2.14
ii  libgssapi-krb5-2                  1.10.1+dfsg-3
ii  libk5crypto3                      1.10.1+dfsg-3
ii  libkrb5-3                         1.10.1+dfsg-3
ii  libldap-2.4-2                     2.4.31-1
ii  libpam0g                          1.1.3-7.1
ii  libpopt0                          1.16-7
ii  libtalloc2                        2.0.7+git20120207-1
ii  libtdb1                           1.2.10-2
ii  libwbclient0                      2:3.6.6-5
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  samba                             2:3.6.6-5
ii  zlib1g                            1:1.2.7.dfsg-13

Versions of packages swat recommends:
ii  samba-doc  2:3.6.6-5

swat suggests no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#700729; Package swat. (Mon, 18 Feb 2013 00:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrew Bartlett <abartlet@samba.org>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Mon, 18 Feb 2013 00:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 700729@bugs.debian.org (full text, mbox):

From: Andrew Bartlett <abartlet@samba.org>
To: Roger Lynn <Roger@rilynn.me.uk>, 700729@bugs.debian.org
Subject: Re: Bug#700729: swat: Password management has stopped working
Date: Mon, 18 Feb 2013 11:00:54 +1100
On Sat, 2013-02-16 at 18:24 +0000, Roger Lynn wrote:
> Package: swat
> Version: 2:3.6.6-5
> Severity: important
> 
> Hi,
> 
> At some point in the last month server password management using Swat has
> stopped working. Swat can be logged into and the old and new server passwords
> entered, but choosing "Change Password" appears to just reload the page
> without changing anything. Entering the wrong old password or mismatching
> new passwords does the same thing.
> 
> The only relevant logging I can find is in /var/log/samba/log. which has
> recently started getting lots of lines like this when Swat is used:
> 
> [2013/02/16 15:02:30.297508,  0] passdb/secrets.c:76(secrets_init)
>   Failed to open /var/lib/samba/secrets.tdb

> 
> As my only use of Swat is to allow users to change their passwords, this has
> had a major affect on the usability of the package.

Please report upstream.  We may somehow be able to obtain the CSRF token
and store it in memory before we become the non-privileged user. 

Just to be sure, are you running SWAT as root, from xinetd?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#700729; Package swat. (Mon, 18 Feb 2013 12:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Lynn <Roger@rilynn.me.uk>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Mon, 18 Feb 2013 12:21:05 GMT) Full text and rfc822 format available.

Message #15 received at 700729@bugs.debian.org (full text, mbox):

From: Roger Lynn <Roger@rilynn.me.uk>
To: Andrew Bartlett <abartlet@samba.org>
Cc: 700729@bugs.debian.org
Subject: Re: Bug#700729: swat: Password management has stopped working
Date: Mon, 18 Feb 2013 11:48:29 +0000
On 18/02/2013 00:00, Andrew Bartlett wrote:
> On Sat, 2013-02-16 at 18:24 +0000, Roger Lynn wrote:
>> At some point in the last month server password management using Swat has
>> stopped working. Swat can be logged into and the old and new server passwords
>> entered, but choosing "Change Password" appears to just reload the page
>> without changing anything. Entering the wrong old password or mismatching
>> new passwords does the same thing.
>> 
>> The only relevant logging I can find is in /var/log/samba/log. which has
>> recently started getting lots of lines like this when Swat is used:
>> 
>> [2013/02/16 15:02:30.297508,  0] passdb/secrets.c:76(secrets_init)
>>   Failed to open /var/lib/samba/secrets.tdb
> 
>> As my only use of Swat is to allow users to change their passwords, this has
>> had a major affect on the usability of the package.
> 
> Please report upstream.  We may somehow be able to obtain the CSRF token
> and store it in memory before we become the non-privileged user. 
> 
> Just to be sure, are you running SWAT as root, from xinetd?

SWAT is being run by stunnel, which is running in daemon mode. I couldn't
get it to work from inetd. The relevant part of my stunnel configuration
looks like this:

[swat]
accept  = 192.168.10.1:901
exec    = /usr/sbin/swat
execargs = swat -P

According to ps SWAT is running as user root. It used to work and I don't
think anything has changed here so I presume SWAT has the necessary privileges.

I will attempt to report this upstream. I'd be grateful if any fixes could
be backported to Debian Wheezy, release policy permitting, as this appears
to be a regression caused by a security update.

Thanks,

Roger



Set Bug forwarded-to-address to 'http://bugzilla.samba.org/show_bug.cgi?id=9668'. Request was from Roger Lynn <Roger@rilynn.me.uk> to control@bugs.debian.org. (Tue, 19 Feb 2013 23:03:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#700729; Package swat. (Tue, 05 Mar 2013 08:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gaudenz Steinlin <gaudenz@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Tue, 05 Mar 2013 08:45:08 GMT) Full text and rfc822 format available.

Message #22 received at 700729@bugs.debian.org (full text, mbox):

From: Gaudenz Steinlin <gaudenz@debian.org>
To: 700729@bugs.debian.org
Subject: Confirmed SWAT password change broken by CVE-2013-0213 / 0214 fix
Date: Tue, 05 Mar 2013 09:31:37 +0100
Hi

I can confirm that this bug was introduced by the security fixes in
samba/2:3.6.6-5. Downgrading to samba/2:3.6.6-4 fixes the problem. I'm
running swat from inetd as root.

I would consider this as an RC bug please increase the severity
accodingly if you agree to get this fixed before the release.

Gaudenz

-- 
Ever tried. Ever failed. No matter.
Try again. Fail again. Fail better.
~ Samuel Beckett ~



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#700729; Package swat. (Thu, 07 Mar 2013 06:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Thu, 07 Mar 2013 06:33:06 GMT) Full text and rfc822 format available.

Message #27 received at 700729@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: Gaudenz Steinlin <gaudenz@debian.org>, 700729@bugs.debian.org
Subject: Re: [Pkg-samba-maint] Bug#700729: Confirmed SWAT password change broken by CVE-2013-0213 / 0214 fix
Date: Thu, 7 Mar 2013 07:23:48 +0100
[Message part 1 (text/plain, inline)]
forwarded 700729 https://bugzilla.samba.org/show_bug.cgi?id=9668
thanks

Quoting Gaudenz Steinlin (gaudenz@debian.org):
> 
> Hi
> 
> I can confirm that this bug was introduced by the security fixes in
> samba/2:3.6.6-5. Downgrading to samba/2:3.6.6-4 fixes the problem. I'm
> running swat from inetd as root.
> 
> I would consider this as an RC bug please increase the severity
> accodingly if you agree to get this fixed before the release.


Thanks for confirming this, Gaudenz.

I hereby link this bug report with upstream and will monitor upstream
activity on this. If a fix pops up, it will be proposed for wheezy.

Please note that upstream is seriously considering to abandon swat,
which is very loosely maintained and a potential can of security
bugs. I would encourage anyone relying on it for production use to
consider switching to another tool or utility (no idea which one, though).

[signature.asc (application/pgp-signature, inline)]

Changed Bug forwarded-to-address to 'https://bugzilla.samba.org/show_bug.cgi?id=9668' from 'http://bugzilla.samba.org/show_bug.cgi?id=9668' Request was from Christian PERRIER <bubulle@debian.org> to control@bugs.debian.org. (Thu, 07 Mar 2013 06:33:08 GMT) Full text and rfc822 format available.

Reply sent to Ivo De Decker <ivo.dedecker@ugent.be>:
You have taken responsibility. (Fri, 11 Oct 2013 22:00:19 GMT) Full text and rfc822 format available.

Notification sent to Roger Lynn <Roger@rilynn.me.uk>:
Bug acknowledged by developer. (Fri, 11 Oct 2013 22:00:19 GMT) Full text and rfc822 format available.

Message #34 received at 700729-done@bugs.debian.org (full text, mbox):

From: Ivo De Decker <ivo.dedecker@ugent.be>
To: 672246-done@bugs.debian.org, 511276-done@bugs.debian.org, 700729-done@bugs.debian.org, 169092-done@bugs.debian.org, 670472-done@bugs.debian.org
Subject: swat was removed
Date: Fri, 11 Oct 2013 23:56:42 +0200
Version: 2:4.0.6+dfsg-1

Hi,

Swat was removed in samba 2:4.0.6+dfsg-1, so these bugs are no longer
relevant.

Cheers,

Ivo




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 09 Nov 2013 07:27:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:44:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.