From owner-freebsd-isp  Wed Dec 15 16:25: 5 1999
Delivered-To: freebsd-isp@freebsd.org
Received: from mail.westbend.net (ns1.westbend.net [209.224.254.131])
	by hub.freebsd.org (Postfix) with ESMTP id E79BB15605
	for <freebsd-isp@FreeBSD.ORG>; Wed, 15 Dec 1999 16:24:58 -0800 (PST)
	(envelope-from hetzels@westbend.net)
Received: from admin (admin.westbend.net [209.224.254.141])
	by mail.westbend.net (8.9.3/8.9.3) with SMTP id SAA54442;
	Wed, 15 Dec 1999 18:24:48 -0600 (CST)
	(envelope-from hetzels@westbend.net)
Message-ID: <012501bf475b$f6793d80$8dfee0d1@westbend.net>
From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Paul Stewart (Premier Networks)" <paul@premier-networks.com>
Cc: <freebsd-isp@FreeBSD.ORG>
References: <3857A643.ED37674B@premier-networks.com>
Subject: Re: Frontpage 2000 Security Problem
Date: Wed, 15 Dec 1999 18:24:47 -0600
Organization: West Bend Internet
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.3825.400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.3825.400
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

From: "Paul Stewart (Premier Networks)" <paul@premier-networks.com>
> We recently upgraded into FP2000 extensions.... everything works fine
> now except we just added a NEW site and the password is never required
> to access the site....
>

check the httpd.conf file and make sure you have:

<Directory /location/of/new/site>
:
AllowOverride AuthConfig Limit Indexes Options
:
</Directory

These are the minimal settings needed by the FP Exts in order for them to
function properly.  The FP2K documentation recommends setting AllowOverride
to ALL, but that gives users too much control (they can execute any program
they wish).

Also check the .htaccess file:

cat /location/of/new/site/.htaccess
# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName [Website Name]
AuthUserFile /location/of/new/site/_vti_pvt/service.pwd
AuthGroupFile /location/of/new/site/_vti_pvt/service.grp

$ cat /location/of/new/site/_vti_pvt/service.pwd
# -FrontPage-
fpadmin:<DES encrypted Password>

$ cat /location/of/new/site/_vti_pvt/service.grp
# -FrontPage-
administrators: fpadmin <list of users granted administrator permission by
FP Client>
authors: <list of users granted author permissions by FP Client>

> I've checked sites that were present before and *most* of them use
> passwords fine... the odd one falls into the same category...
>
> I'm thinking of reinstalling the extensions but don't want to make
> matters worse... any help is much appreciated...:)
>

It's not a problem with the FP Extentsions as they don't do any user
authentication.  Instead they rely on the Apache Web Server to do the proper
access control for the web site.

> BTW, when I'm connected via the FP2000 client it shows the username etc.
> just don't know where it gets it from...
>
On the FP98 client, it remebers the last username used to log into a server.
It doesn't have to be the same name that you used to log into your Windows
system.  This could be what the FP2K client is doing, using the last logged
in user name that was stored in the registry.

Scot



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message