s3 swat: Create random nonce in CGI mode

In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.

Signed-off-by: Kai Blin <kai@samba.org>
The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).

diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 4dac656c1a9a3cd3d2c9d0fa4b3181cc014e470c..0c8e9cbe55bbc009a4a266cd9f63ffda15c15120 100644 (file)
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -19,6 +19,8 @@
 
 #include "includes.h"
 #include "web/swat_proto.h"
+#include "secrets.h"
+#include "../lib/util/util.h"
 
 #define MAX_VARIABLES 10000
 
@@ -321,7 +323,23 @@ static void cgi_web_auth(void)
                exit(0);
        }
 
-       setuid(0);
+       C_user = SMB_STRDUP(user);
+
+       if (!setuid(0)) {
+               C_pass = secrets_fetch_generic("root", "SWAT");
+               if (C_pass == NULL) {
+                       char *tmp_pass = NULL;
+                       tmp_pass = generate_random_str(talloc_tos(), 16);
+                       if (tmp_pass == NULL) {
+                               printf("%sFailed to create random nonce for "
+                                      "SWAT session\n<br>%s\n", head, tail);
+                               exit(0);
+                       }
+                       secrets_store_generic("root", "SWAT", tmp_pass);
+                       C_pass = SMB_STRDUP(tmp_pass);
+                       TALLOC_FREE(tmp_pass);
+               }
+       }
        setuid(pwd->pw_uid);
        if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
                printf("%sFailed to become user %s - uid=%d/%d<br>%s\n",