From owner-freebsd-isp Sat Apr 21 2: 4: 3 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail-secure.toplink.net (mail-secure.toplink.net [195.2.171.5]) by hub.freebsd.org (Postfix) with ESMTP id 7220537B423 for ; Sat, 21 Apr 2001 02:03:59 -0700 (PDT) (envelope-from ck@toplink.net) Received: from localhost.toplink.net (mail-scan.toplink.net [195.2.171.141]) by mail-secure.toplink.net (8.9.3/8.9.3) with ESMTP id LAA56276; Sat, 21 Apr 2001 11:03:37 +0200 (CEST) Received: from mail-secure.toplink.net (mail-scan [127.0.0.1]) by localhost.toplink.net (8.9.3/8.9.3) with ESMTP id LAA21102; Sat, 21 Apr 2001 11:03:37 +0200 Received: (from uucp@localhost) by mail-secure.toplink.net (8.9.3/8.9.3) with UUCP id LAA56274; Sat, 21 Apr 2001 11:03:36 +0200 (CEST) Received: from localhost (ck@localhost) by hirvi.toplink.net (8.11.0/8.11.0) with ESMTP id f3L8rGX01429; Sat, 21 Apr 2001 10:53:16 +0200 Date: Sat, 21 Apr 2001 10:53:16 +0200 (CEST) From: Christian Kratzer To: "Scot W. Hetzel" Cc: Apu , seti , freebsd-isp@FreeBSD.ORG Subject: Re: FrontPage Extensions Authentication In-Reply-To: <015501c0c9c4$44a45fd0$087885c0@GENROCO.com> Message-ID: X-NCC-RegID: de.toplink X-Spammer-Kill-Ratio: 75% X-Jihad: Will hunt down all cases of Spam and Net abuse. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Fri, 20 Apr 2001, Scot W. Hetzel wrote: > From: "Apu" > > On Fri, 20 Apr 2001, seti wrote: > > > > > which all went off without a hitch. However when using the Frontpage > > > 98/2000/XP client to access the FP enabled web, it simply does not ask > me > > > for any username and password, but instead allows me anonymously to > > > edit/publish the webpage, from various workstations. My workaround has > been > > > > You need to AllowOverride AuthConfig so Apache can process the > > authentication configuration information in the .htaccess files. (The > > extensions actually ask for AllowOverride All but you can get away with > > giving out less to the individual .htaccess files -- you really need more > > than just AuthConfig but I don't recall exactly.) > > > > This is the minimum settings that you need to specify in order for the FP > Exts to function securely on a FP enabled website. > > AllowOverride AuthConfig Limit Indexes Options specifically "AllowOverride Options" is required as frontpage drops .htaccess files in directories with "Options None" Sadly "AllowOverride Options" allows users to upload their own cgi's everywhere just by specifiying "Options ExecCGI" and other nice stuff you perhaps would not want them to do by themselves. Because of this we patched apache to allow "Options None" even when there is no "AllowOverrride Options" I really don't fancy porting all these patches to make frontpage secure to apache-2.0 etc... We would gladly drop frontpage support if there weren't that many users using it. Greetings Christian -- TopLink Internet Services GmbH ck@171.2.195.in-addr.arpa Christian Kratzer http://www.toplink.net/ Phone: +49 7032 2701-0 Fax: +49 7032 2701-19 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message