From owner-freebsd-current Sat Jan 2 19:32:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA06571 for freebsd-current-outgoing; Sat, 2 Jan 1999 19:32:34 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA06565 for ; Sat, 2 Jan 1999 19:32:31 -0800 (PST) (envelope-from terbart@aye.net) Received: (qmail 23438 invoked by uid 3185); 3 Jan 1999 03:29:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Jan 1999 03:29:35 -0000 Date: Sat, 2 Jan 1999 22:29:35 -0500 (EST) From: Barrett Richardson To: Erick Baum cc: freebsd-current@FreeBSD.ORG Subject: Re: FrontPage Extensions In-Reply-To: <002001be369c$239ad3e0$098a3fd1@ws1.gvn.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 2 Jan 1999, Erick Baum wrote: > I've seen some previous posts about the FrontPage Extensions for FreeBSD > opening up some major security holes. Can someone tell me what kind of > security issues they are? > > Also, I have been having trouble getting the extensions to work on FreeBSD > 2.2.6. Does anyone know if there is something special I have to do? > > Any input is appreciated. Thanks. > > -Erick > I was digging thru the frontpage module and discovered that it wants a geteuid() == 0 before it will launch any of the cgi's that will do glorious things for your users. The cgi's end up running on behalf of a user, but the mechanism (as much of it as I understand) that makes that happen leaves opportunity for problems. The module checks the ownership of a "webroot" directory (appears to be the document root from the little I've seen thus far) and compares it to the ownership of /_vti_pvt and sees if they match. If they do, environment variables FPUID and FPGID are set to the uid and gid of these directories. A suid wrapper, fpexe, sets its uid and gid based on FPUID and FPGID that it inherited from the webserver. The wrapper, fpexe, only can run a predetermined set of progs (the suite of frontpage stuff). From what little info I have found, the cgi scripts then authenticate the user it is already running as from some info stashed away in some *.pwd files. I found no authentication in the frontpage module or in fpexe.c. >From the information I have about how it operates, I don't understand why the server must be run as root. Also I don't understand how the frontpage cgi's could authenticate from files with safe permissions if they are indeed being run from a wrapper which sets appropriate uid/gid before launching them. I found a recent posting in -security that mentioned that the authentication files must be readable by the uid of the webserver -- but still, if the cgi scripts authenticate themselves and a suid wrapper sets their uid/gid, the uid of the webserver should be out of the picture. I thinking of using it by putting some authentication in the wrapper (via a cookie, I think, and use https) before the setuid()/setgid() are done. At any rate, I wouldn't dare use it as it is until I find some more definitive information about how it authenticates. - Barrett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message