From owner-freebsd-ports Wed Oct 29 07:23:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA21281 for ports-outgoing; Wed, 29 Oct 1997 07:23:37 -0800 (PST) (envelope-from owner-freebsd-ports) Received: from mrin42.mail.aol.com (mrin42.mx.aol.com [198.81.19.152]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA21267 for ; Wed, 29 Oct 1997 07:23:32 -0800 (PST) (envelope-from Hetzels@aol.com) From: Hetzels@aol.com Received: (from root@localhost) by mrin42.mail.aol.com (8.8.5/8.7.3/AOL-2.0.0) id KAA10107; Wed, 29 Oct 1997 10:23:01 -0500 (EST) Date: Wed, 29 Oct 1997 10:23:01 -0500 (EST) Message-ID: <971029102300_1311894685@mrin42.mail.aol.com> To: marcs@znep.com, freebsd-ports@hub.freebsd.org Subject: Re: ports/4878: Apache w/FrontPage Module Port Sender: owner-freebsd-ports@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In a message dated 97-10-28 17:02:47 EST, marcs@znep.com writes: > I have said this before and I will say this again: this is a damn big > security hole and must not be done. If you install this port, anyone can > get root on the system you install it on without any effort. This is not > acceptable. > > Microsoft includes patches for Apache and a program called fpexe for this > very reason. While I don't particularily recommend them (although the new > fixed version seems reasonable; haven't had time to look at it fully yet > though), they are a _LOT_ better than giving everyone instant root on the > server. > This port uses the FrontPage Module & the fpexe program. When I looked through the code both the Module & fpexe look at the uid & gid, if the uid is < 11 or gid < 21 then the call is rejected. Also, the program checks if what is being called is admin.exe, author.exe, shtml.exe or fpcount.exe, if it is not one of these programs then the call is also rejected. Where is the security hole? Scot