From owner-freebsd-isp  Thu Oct 23 15:37:51 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id PAA03061
          for isp-outgoing; Thu, 23 Oct 1997 15:37:51 -0700 (PDT)
          (envelope-from owner-freebsd-isp)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA03056;
          Thu, 23 Oct 1997 15:37:44 -0700 (PDT)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id QAA29816;
	Thu, 23 Oct 1997 16:37:15 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id QAA12618; Thu, 23 Oct 1997 16:39:47 -0600 (MDT)
Date: Thu, 23 Oct 1997 16:39:47 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
To: "Scot W. Hetzel" <hetzels@aol.com>
cc: FreeBSD Ports <ports@FreeBSD.ORG>, FreeBSD ISP <isp@FreeBSD.ORG>
Subject: Re: Apache w/FrontPage Module Port
In-Reply-To: <01bcdfeb$cb4c11c0$0500000a@hetzels>
Message-ID: <Pine.BSF.3.95.971023163529.11617C-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 23 Oct 1997, Scot W. Hetzel wrote:

>   This problem is caused by the fp_install.sh which reads the httpd.conf
> file for the user that the server is to run as, since the default is nobody
> it chowns -R the directory /usr/local/www/data to user nobody.  While
> /usr/local/etc/apache is owned by root. The solution I have come up with is
> to chown -R ./etc/apache & ./www/data to the same owner & group after the
> fp_install.sh script has run.  As just chown the directories doesn't solve
> the problem with reading the httpd.conf file.
> 
>     b. Add user & group www
>     c. chown -R www:www /usr/local/etc/apache /usr/local/www/data
> 
> Q. How do I add these to the group & passwd list (would like them to be uid
> & gid < 99)?
> 
> Q. Is there any security issues with having the configuration directory
> (./etc/apache)  & files (httpd.conf, srm.conf, access.conf), readable &
> writeable by the frontpage extensions?

Yes.  It means that anyone who can write to them can trivially get root on
your system, assuming your system is like most where Apache is started by
root in order to bind to port 80.

I don't think you should need to have things this way to make it work on
Apache using Microsoft's patch.  It is necessary on other servers, but
shouldn't be on Apache.  Haven't really looked at it yet.