From owner-freebsd-ports Tue Oct 28 14:06:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA24967 for ports-outgoing; Tue, 28 Oct 1997 14:06:03 -0800 (PST) (envelope-from owner-freebsd-ports) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA24944; Tue, 28 Oct 1997 14:05:48 -0800 (PST) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id PAA15612; Tue, 28 Oct 1997 15:05:27 -0700 (MST) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id PAA17905; Tue, 28 Oct 1997 15:10:21 -0700 (MST) Date: Tue, 28 Oct 1997 15:10:21 -0700 (MST) From: Marc Slemko To: Karl Denninger cc: FreeBSD Ports , FreeBSD ISP Subject: Re: Apache FrontPage Module Port Completed In-Reply-To: <19971028155143.46119@Mars.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 28 Oct 1997, Karl Denninger wrote: > I STRONGLY recommend that NOBODY load a botch of this kind on ANYTHING. > > SUID root programs for file transfers should be confined to those which have > many YEARS of experience under their belts - like ftpd. There is absolutely > NO REASON that Microsoft could not support FTP transfers from Frontpage, and > if they did, this entire security fiasco would be moot. > > And yes, I've told Microsoft this -- for almost two years. > > They don't care, and until they do, I'm not risking my machines on their > no-source code. There is more to it than that. Yes, you can use FrontPage to upload files via ftp. If you don't use their special CGIs (erm... "bots" or whatever they call them), you can use FrontPage no problem without anything special installed on the server. The problem is their CGIs that implement "pretty" things for FP users. The problem with the extensions traditionally has been that they modify the server config files each time a new site is created, they all run as the same user letting anyone modify the content or the web server config files, you need seperate copies of their huge CGIs for each site even though they are the same, etc. With the FrontPage 98 extensions for Apache, they added a fpexe program and a patch to Apache to no longer require the changes to the config file and to let the CGIs run as the user who owns the web. fpexec is a setuid root program, similar to suexec, that changes UIDs to the user before running the CGIs. Yes, one of the CGIs allows users to upload their web site. The source to fpexe is available. In their first release they were absolute morons: http://www.worldgate.com/~marcs/fp/ They have since released a "fixed" version. It appears better, but I haven't yet had time to fully review it; they take care of the obvious things I pointed out in the first release anyway. There are still issues, and still may be gaping holes, but they are far less obvious. Since you have the source code to the only program they want you to make setuid root, you can judge the risk yourself like I did with the first release. The risk you are left open to is that if there is a hole in fpexe that you can't see when you review it then someone can possibly gain root. The other risk is that if there is a hole in their CGI scripts then someone can possibly gain access to the account of any user running them; this may or may not be an issue. You have to be careful to divide the security issues into the proper different zones of risk. One is instant root. Many people dislike that a lot. Another is the possibility of compromising user accounts. Many people dislike that, but to some it is less significant.