From owner-freebsd-isp Thu Apr 23 15:26:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08217 for freebsd-isp-outgoing; Thu, 23 Apr 1998 15:26:41 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from mail.westbend.net (ns1.westbend.net [207.217.224.194]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08205; Thu, 23 Apr 1998 15:26:23 -0700 (PDT) (envelope-from hetzels@westbend.net) Received: from admin (admin.westbend.net [207.217.224.195]) by mail.westbend.net (8.8.8/8.8.8) with SMTP id RAA12063; Thu, 23 Apr 1998 17:26:18 -0500 (CDT) (envelope-from hetzels@westbend.net) Message-ID: <02b601bd6f07$2d5d8600$c3e0d9cf@admin.westbend.net> From: "Scot W. Hetzel" To: Cc: "FreeBSD-ISP" Subject: ports/4878: Apache w/FrontPage Module Port Update/Security Fix Date: Thu, 23 Apr 1998 17:28:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please remove the following apache-fp ports files from the /pub/FreeBSD/development/ports directory as they are obsolete: apache-fp.port.tgz apache-fp_125.diff The latest Apache-Fp port is v126.B and is currently located on ftp://ftp.freebsd.org/pub/FreeBSD/incoming 4878.apache-fp.126.b.tgz 4878.apache-fp.126_126.b.diff This version of the apache-fp port corrects the following problems: 1. More checks for correct DES installations. 2. Security Fix for SUEXEC to allow fpexe to by pass it. When suexec+ was included starting with the v125.E port, suexec would run all user cgi programs as root. Which would cause a major security violation. Suexec+ was checking prog ( agrv[0] )= /usr/local/sbin/suexec against FRONTPAGE_EXE = /usr/local/frontpage/version3.0/apache-fp/_vti_bin/fpexe, which always resulted in a value >0 and would then execute any cgi program as root. This problem is now corrected. In stead of using prog, suexec now uses cmd ( argv[3]), and checks if cmd = fpexe. If it does it will then execute fpexe and no other commands. Q. Should I change the uid to HTTPD_USER before I run fpexe? Currently, fpexe is executed with uid=root and gid=www, when executed from suexec. The fpexe executable is suid, also. To compile apache-fp with suexec support: make [build|install] -DSUEXEC [HTTPD_USER=] NOTE: The default user suexec runs as is "www". So please check your httpd.conf file to determine the user your server is running as. If there are no objections to the port, could somebody please submit it to the Ports Collection? Thanks, Scot W. Hetzel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message