Re: Richard Plinston Levent Zillyboy Chris Wareham
> You asked for distros with it bundled. And it was both bundled and active by default in older versions, as I showed with RHEL AS4, which you were unable to disprove
You do not seem to understand that there is a distinction between 'in the repository' and 'installed and active by default'. Here is actually what I asked:
"""So are some games "bundled into distros". Show me the distros that install SAMBA and SWAT "by default". Show me which distros enable these "by default"."""
I did disprove your claim that it was 'active by default'. More to the point you have not established _any_ of your claims at all, especially where you conflate Apache and SWAT. The configuration file was 'as installed' as shown by the file date/time. Whether the selection box for installing it was clicked by the installer or was already clicked would require me to go through the install process, which you obviously have never done.
> (on a client's box you admit you didn't even know the security profile of for a very well-known security issue - not reassuring as to your admin credentials). Yet you want to insist you have disproven the point? Male bovine manure.
It is not a machine that I administer, nor do I administer _any_ Samba sites , nor is Samba active on any machine that I do administer, so the 'issue' is of no concern to me or the client.
> ".....SWAT is _not_ part of Apache...." I never said it was,
Yes you did, you frequently conflated Apache and SWAT: you claimed: """ and the fact that activating Apache exposes port 901 """. Port 901 is the port for SWAT. AND """(b) turning on Apache without checking DOES leave port 901 open for an attack if the right SWAT security steps have not been taken. """ AND """ Many admins do not realise that leaving the default Apache install running allows anyone with the IP address of the system the ability to go directly to that [Samba] configuration file,"""
> As you admitted, you had to go check a server you set up for a client as you didn't know if the proper security for SWAT had been set - not exactly a ringing endorsement.
It is called 'gathering evidence', something that you seem unfamiliar with.
> And you're still trying to deny (a) it is an extensively documented issue,
What _is_ 'extensively documented', even in the one link that you supplied, is that SWAT is _NOT_ activated by default, despite your repeated bogus claims.
> and (b) turning on Apache without checking DOES leave port 901 open for an attack if the right SWAT security steps have not been taken.
Once again you conflate Apache with SWAT when they have no connection. Apache _never_ opens port 901 (unless explicitly configured for some unknown reason).
> I said it was common for admins to leave the Apache web service running without realising the possible security holes, including the SWAT/SAMBA issue.
And again your attribute Apache as somehow installing and activating Samba and SWAT when they are unrelated products (that both happen to be independently accessed by a browser).
> ".....SWAT is related to Apache (not true, but you continue to claim it)...." Stop lying just because you lost the argument. I never said that at all,
Yes you did, and repeatedly claimed it again, see your (b) above.
> You couldn't even prove this for RH AS4, let alone all the other even older distros, but you want to claim you have proven otherwise?
You have repeatedly made the claim, it is for you to prove. You are just waving aside the evidence, even the evidence in the link that you did provide.
> "....* SWAT, by default, requires no logging in (not true)...." Another lie, please post to where I said that.
Here it is: """ ".....SWAT requires logging in....." Only if you configure it to. """ and here: """On SAMBA (Linux and UNIX) the smb.conf file is presented out to the World as a web page on TCP port 901 via the SWAT without any protecting login mechanism and with permissions allowing anyone to edit the file."""
> "......SWAT, by default, can be accessed from other machines (not true)...." Not what I said, not even close. What I said was an insecure configuration of SWAT would allow any system with LAN access to the target server to go to the SWAT web page on port 901 and edit the SAMBA config.
What you said was: """the smb.conf file is presented out to the World as a web page on TCP port 901 via the SWAT without any protecting login mechanism and with permissions allowing anyone to edit the file.""". Which is and always was completely untrue.
And here, from that message, is another example of your conflating Apache and SWAT: """ I'm guessing by your response you did not realise what toys get exposed as soon as you turn on Apache?"""
If you want your rantings to be accepted then you need to _prove_ that in some distant past SWAT was installed by default, activate by default, in demo mode by default, was accessible beyond the localhost by default, and in any way was part of Apache. Good luck with _any_ of that.