From owner-freebsd-current  Sat Jan  2 21:11:04 1999
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA13110
          for freebsd-current-outgoing; Sat, 2 Jan 1999 21:11:04 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from fep2-orange.clear.net.nz (fep2-orange.clear.net.nz [203.97.32.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA13105
          for <freebsd-current@FreeBSD.ORG>; Sat, 2 Jan 1999 21:11:02 -0800 (PST)
          (envelope-from jabley@buddha.clear.net.nz)
Received: from buddha.clear.net.nz (buddha.clear.net.nz [192.168.24.106]) by fep2-orange.clear.net.nz (1.5/1.9) with ESMTP id SAA18818; Sun, 3 Jan 1999 18:10:35 +1300 (NZDT)
Received: (from jabley@localhost)
	by buddha.clear.net.nz (8.9.1/8.9.1) id SAA05373;
	Sun, 3 Jan 1999 18:10:34 +1300 (NZDT)
	(envelope-from jabley)
Date: Sun, 3 Jan 1999 18:10:34 +1300
From: Joe Abley <jabley@clear.co.nz>
To: Barrett Richardson <terbart@aye.net>
Cc: Erick Baum <cc@gvn.net>, freebsd-current@FreeBSD.ORG, jabley@clear.co.nz
Subject: Re: FrontPage Extensions
Message-ID: <19990103181034.A5354@clear.co.nz>
References: <002001be369c$239ad3e0$098a3fd1@ws1.gvn.net> <Pine.BSF.3.96.990102214534.15431A-100000@phoenix.aye.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
In-Reply-To: <Pine.BSF.3.96.990102214534.15431A-100000@phoenix.aye.net>; from Barrett Richardson on Sat, Jan 02, 1999 at 10:29:35PM -0500
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, Jan 02, 1999 at 10:29:35PM -0500, Barrett Richardson wrote:
> 
> On Sat, 2 Jan 1999, Erick Baum wrote:
> 
> > I've seen some previous posts about the FrontPage Extensions for FreeBSD
> > opening up some major security holes.  Can someone tell me what kind of
> > security issues they are?
> > 
> > Also, I have been having trouble getting the extensions to work on FreeBSD
> > 2.2.6.  Does anyone know if there is something special I have to do?
> > 
> > Any input is appreciated.  Thanks.
> > 
> > -Erick
> >
> 
> I was digging thru the frontpage module and discovered that it wants
> a geteuid() == 0 before it will launch any of the cgi's that will
> do glorious things for your users. The cgi's end up running on
> behalf of a user, but the mechanism (as much of it as I understand)
> that makes that happen leaves opportunity for problems. The module
> checks the ownership of a "webroot" directory (appears to be the
> document root from the little I've seen thus far) and compares
> it to the ownership of /_vti_pvt and sees if they match. If they
> do, environment variables FPUID and FPGID are set to the uid and
> gid of these directories.
>
> [snip]

Check out Zeus Technology at http://www.zeus.co.uk/ - they have an
extremely fast and nice web server (with binaries available for FreeBSD
2.2.x) and incorporate their own FrontPage hosting without needing a lot
(all?) of the nasty Microsoft bloat.

We use it for our professional hosting product, which includes FrontPage
support. It is very good.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message