Date: Wed, 15 Dec 1999 18:24:47 -0600 From: "Scot W. Hetzel" <hetzels@westbend.net> To: "Paul Stewart (Premier Networks)" <paul@premier-networks.com> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: Frontpage 2000 Security Problem Message-ID: <012501bf475b$f6793d80$8dfee0d1@westbend.net> References: <3857A643.ED37674B@premier-networks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Paul Stewart (Premier Networks)" <paul@premier-networks.com> > We recently upgraded into FP2000 extensions.... everything works fine > now except we just added a NEW site and the password is never required > to access the site.... > check the httpd.conf file and make sure you have: <Directory /location/of/new/site> : AllowOverride AuthConfig Limit Indexes Options : </Directory These are the minimal settings needed by the FP Exts in order for them to function properly. The FP2K documentation recommends setting AllowOverride to ALL, but that gives users too much control (they can execute any program they wish). Also check the .htaccess file: cat /location/of/new/site/.htaccess # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Limit GET POST> order deny,allow deny from all allow from all </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> AuthName [Website Name] AuthUserFile /location/of/new/site/_vti_pvt/service.pwd AuthGroupFile /location/of/new/site/_vti_pvt/service.grp $ cat /location/of/new/site/_vti_pvt/service.pwd # -FrontPage- fpadmin:<DES encrypted Password> $ cat /location/of/new/site/_vti_pvt/service.grp # -FrontPage- administrators: fpadmin <list of users granted administrator permission by FP Client> authors: <list of users granted author permissions by FP Client> > I've checked sites that were present before and *most* of them use > passwords fine... the odd one falls into the same category... > > I'm thinking of reinstalling the extensions but don't want to make > matters worse... any help is much appreciated...:) > It's not a problem with the FP Extentsions as they don't do any user authentication. Instead they rely on the Apache Web Server to do the proper access control for the web site. > BTW, when I'm connected via the FP2000 client it shows the username etc. > just don't know where it gets it from... > On the FP98 client, it remebers the last username used to log into a server. It doesn't have to be the same name that you used to log into your Windows system. This could be what the FP2K client is doing, using the last logged in user name that was stored in the registry. Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012501bf475b$f6793d80$8dfee0d1>