Date: Tue, 28 Oct 1997 13:10:03 -0800 (PST) From: Marc Slemko <marcs@znep.com> To: freebsd-ports Subject: Re: ports/4878: Apache w/FrontPage Module Port Message-ID: <199710282110.NAA20940@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/4878; it has been noted by GNATS.
From: Marc Slemko <marcs@znep.com>
To: "Scot W. Hetzel" <hetzels@aol.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: ports/4878: Apache w/FrontPage Module Port
Date: Tue, 28 Oct 1997 14:12:13 -0700 (MST)
On Tue, 28 Oct 1997, Scot W. Hetzel wrote:
> >Description:
> This port patches the Apache sources & the FrontPage Server Extensions so
> that the FrontPage Module can be compiled into the Apache Server. It will
> then create a user (www) & group (www), so that sub-webs may be created
> using FrontPage 98, because the directories /usr/local/etc/apache &
> /usr/local/www/data must be owned by the same user.
I have said this before and I will say this again: this is a damn big
security hole and must not be done. If you install this port, anyone can
get root on the system you install it on without any effort. This is not
acceptable.
Microsoft includes patches for Apache and a program called fpexe for this
very reason. While I don't particularily recommend them (although the new
fixed version seems reasonable; haven't had time to look at it fully yet
though), they are a _LOT_ better than giving everyone instant root on the
server.
--
Marc Slemko | Apache team member
marcs@znep.com | marc@apache.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710282110.NAA20940>