From owner-freebsd-current Sat Jan 2 21:11:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA13110 for freebsd-current-outgoing; Sat, 2 Jan 1999 21:11:04 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from fep2-orange.clear.net.nz (fep2-orange.clear.net.nz [203.97.32.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA13105 for ; Sat, 2 Jan 1999 21:11:02 -0800 (PST) (envelope-from jabley@buddha.clear.net.nz) Received: from buddha.clear.net.nz (buddha.clear.net.nz [192.168.24.106]) by fep2-orange.clear.net.nz (1.5/1.9) with ESMTP id SAA18818; Sun, 3 Jan 1999 18:10:35 +1300 (NZDT) Received: (from jabley@localhost) by buddha.clear.net.nz (8.9.1/8.9.1) id SAA05373; Sun, 3 Jan 1999 18:10:34 +1300 (NZDT) (envelope-from jabley) Date: Sun, 3 Jan 1999 18:10:34 +1300 From: Joe Abley To: Barrett Richardson Cc: Erick Baum , freebsd-current@FreeBSD.ORG, jabley@clear.co.nz Subject: Re: FrontPage Extensions Message-ID: <19990103181034.A5354@clear.co.nz> References: <002001be369c$239ad3e0$098a3fd1@ws1.gvn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Barrett Richardson on Sat, Jan 02, 1999 at 10:29:35PM -0500 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Jan 02, 1999 at 10:29:35PM -0500, Barrett Richardson wrote: > > On Sat, 2 Jan 1999, Erick Baum wrote: > > > I've seen some previous posts about the FrontPage Extensions for FreeBSD > > opening up some major security holes. Can someone tell me what kind of > > security issues they are? > > > > Also, I have been having trouble getting the extensions to work on FreeBSD > > 2.2.6. Does anyone know if there is something special I have to do? > > > > Any input is appreciated. Thanks. > > > > -Erick > > > > I was digging thru the frontpage module and discovered that it wants > a geteuid() == 0 before it will launch any of the cgi's that will > do glorious things for your users. The cgi's end up running on > behalf of a user, but the mechanism (as much of it as I understand) > that makes that happen leaves opportunity for problems. The module > checks the ownership of a "webroot" directory (appears to be the > document root from the little I've seen thus far) and compares > it to the ownership of /_vti_pvt and sees if they match. If they > do, environment variables FPUID and FPGID are set to the uid and > gid of these directories. > > [snip] Check out Zeus Technology at http://www.zeus.co.uk/ - they have an extremely fast and nice web server (with binaries available for FreeBSD 2.2.x) and incorporate their own FrontPage hosting without needing a lot (all?) of the nasty Microsoft bloat. We use it for our professional hosting product, which includes FrontPage support. It is very good. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message