Swat Password - Logged in clear text

[TSch]

Hi folks,

I've noticed, that swat creates a logfile under /etc/webmin/samba/swat containing the User and password (in clear text !!!!!) that last tried to logon using swat ...

This is extremely critical ...

Is there any way to suppress that output ?


Regards
Thomas

 

[hfaix]

I've never seen this. What version of Samba?

 

[khalidaaa]

well, i didn't use swat for my samba coz i just copied the configuration from the old server that we had to this new one!

when i viewed the smb.conf i couldn't see any passwords!

But i believe if this is the case then this file will be owned by root only! so it's not a big deal! isn't it?

 

[TSch]

Hi,

it's Version 3.0.24 ...

You can put a parameter for encrypted passwords into the smb.conf but this is only for the smbpasswd file. The swat file is still written in clear text ...

And I don't really feel good knowing that there's a file containing critical passwords in clear text residing somewhere on the machine.

If someone with some knowledge is sitting at the machine he might find a way to read the file an that's not good.

Regards
Thomas