Date: Thu, 23 Oct 1997 16:39:47 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: "Scot W. Hetzel" <hetzels@aol.com> Cc: FreeBSD Ports <ports@FreeBSD.ORG>, FreeBSD ISP <isp@FreeBSD.ORG> Subject: Re: Apache w/FrontPage Module Port Message-ID: <Pine.BSF.3.95.971023163529.11617C-100000@alive.znep.com> In-Reply-To: <01bcdfeb$cb4c11c0$0500000a@hetzels>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Oct 1997, Scot W. Hetzel wrote: > This problem is caused by the fp_install.sh which reads the httpd.conf > file for the user that the server is to run as, since the default is nobody > it chowns -R the directory /usr/local/www/data to user nobody. While > /usr/local/etc/apache is owned by root. The solution I have come up with is > to chown -R ./etc/apache & ./www/data to the same owner & group after the > fp_install.sh script has run. As just chown the directories doesn't solve > the problem with reading the httpd.conf file. > > b. Add user & group www > c. chown -R www:www /usr/local/etc/apache /usr/local/www/data > > Q. How do I add these to the group & passwd list (would like them to be uid > & gid < 99)? > > Q. Is there any security issues with having the configuration directory > (./etc/apache) & files (httpd.conf, srm.conf, access.conf), readable & > writeable by the frontpage extensions? Yes. It means that anyone who can write to them can trivially get root on your system, assuming your system is like most where Apache is started by root in order to bind to port 80. I don't think you should need to have things this way to make it work on Apache using Microsoft's patch. It is necessary on other servers, but shouldn't be on Apache. Haven't really looked at it yet.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.971023163529.11617C-100000>