From owner-freebsd-ports  Wed Oct 29 08:25:30 1997
Return-Path: <owner-freebsd-ports>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA25345
          for ports-outgoing; Wed, 29 Oct 1997 08:25:30 -0800 (PST)
          (envelope-from owner-freebsd-ports)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA25322;
          Wed, 29 Oct 1997 08:25:19 -0800 (PST)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id JAA25105;
	Wed, 29 Oct 1997 09:23:32 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id JAA22491; Wed, 29 Oct 1997 09:28:04 -0700 (MST)
Date: Wed, 29 Oct 1997 09:28:04 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
To: Hetzels@aol.com
cc: ports@freebsd.org, isp@freebsd.org
Subject: Re: Apache FrontPage Module Port Completed
In-Reply-To: <971029102701_817384728@mrin42.mail.aol.com>
Message-ID: <Pine.BSF.3.95.971029091816.22191H-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Erm... this makes no sense now.  It appears you are not doing what you
said you would.  You said you were having things run as www and you needed
the new user so they could be writable.  That is a hole.  Looking further,
it appears like you are not doing this.  If a user "www" exists, it has
traditionally been used to run the server as.  Using it for some different
and obscure purpose will lead to trouble.

Instead, you created this new user for no reason.  Why is it necessary?
You say the extensions have to write to the config file and that users
have to make their home directory world writable.  That does not fit at
all with using fpexe, so I assumed you were not and that (as you said) the
config files had to be writable by FrontPage.  It appears that is not the
case.

The only thing I can figure out is that you are using Microsoft's install
script and that it is broken and doesn't properly support fpexe; in that
case, fix the script don't create another user.

On Wed, 29 Oct 1997 Hetzels@aol.com wrote:

> In a message dated 97-10-28 18:04:18 EST, marcs@znep.com (Marc Slemko)
> writes:
> 
> > And as I have said before and just said again in response to the PR
> >  submitting the port, this port also gives anyone instant root on your
> >  system.  If that isn't desirable to you, I would suggest you hold off on
> >  using this port right now.
> >  
> It doesn't give instant root, as it checks for uid < 11 & gid < 21 and
> rejects them. Also, it will only run 4 programs (shtml.exe, fpcount.exe,
> author.exe, or admin.exe), but before it runs them, it will change to the
> owner of the directory that it is working in.
> 
> Scot
>