From owner-cvs-all Fri Mar 12 10:43:28 1999 Delivered-To: cvs-all@freebsd.org Received: from news.IAEhv.nl (news.IAEhv.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id E7BFB15602 for ; Fri, 12 Mar 1999 10:43:11 -0800 (PST) (envelope-from devet@adv.iae.nl) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id TAA16801 for cvs-all@freebsd.org; Fri, 12 Mar 1999 19:42:53 +0100 (MET) Received: (from devet@localhost) by adv.iae.nl (8.9.2/8.8.6) id SAA00355; Fri, 12 Mar 1999 18:55:15 +0100 (CET) Date: Fri, 12 Mar 1999 18:55:15 +0100 (CET) From: Arjan de Vet Message-Id: <199903121755.SAA00355@adv.iae.nl> To: cvs-all@freebsd.org Subject: Re: BSD/OS compatibility (was: cvs commit: src/sys/i386/conf .. In-Reply-To: <19990312155153.A39673@nagual.pp.ru> References: <19990312152048.A37814@nagual.pp.ru> Organization: Internet Access Eindhoven, the Netherlands Cc: Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk > Micro$oft's attempt at FrontPage 98 server-side extensions for Apache > > Summary > > Description: The setuid root program (fpexe) which comes with the > FrontPage extensions is a pathetic joke security-wise, as Marc Slemko > demonstrates. At the company I work for I changed the fpexe program and apache FP extensions such that fpexe does not need to be setuid anymore. Of course all files are then owned by the userid the webserver is running with (limiting FP functionality I think, never used it myself) and it may still be possible to change files via FP in an unauthorized way. But at least the setuid-root bit on fpexe has gone :-). And because we're using a chrooted Apache too, any setuid-root bit is one bit too much. Arjan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message