Date: Sat, 2 Jan 1999 22:29:35 -0500 (EST) From: Barrett Richardson <terbart@aye.net> To: Erick Baum <cc@gvn.net> Cc: freebsd-current@FreeBSD.ORG Subject: Re: FrontPage Extensions Message-ID: <Pine.BSF.3.96.990102214534.15431A-100000@phoenix.aye.net> In-Reply-To: <002001be369c$239ad3e0$098a3fd1@ws1.gvn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2 Jan 1999, Erick Baum wrote: > I've seen some previous posts about the FrontPage Extensions for FreeBSD > opening up some major security holes. Can someone tell me what kind of > security issues they are? > > Also, I have been having trouble getting the extensions to work on FreeBSD > 2.2.6. Does anyone know if there is something special I have to do? > > Any input is appreciated. Thanks. > > -Erick > I was digging thru the frontpage module and discovered that it wants a geteuid() == 0 before it will launch any of the cgi's that will do glorious things for your users. The cgi's end up running on behalf of a user, but the mechanism (as much of it as I understand) that makes that happen leaves opportunity for problems. The module checks the ownership of a "webroot" directory (appears to be the document root from the little I've seen thus far) and compares it to the ownership of /_vti_pvt and sees if they match. If they do, environment variables FPUID and FPGID are set to the uid and gid of these directories. A suid wrapper, fpexe, sets its uid and gid based on FPUID and FPGID that it inherited from the webserver. The wrapper, fpexe, only can run a predetermined set of progs (the suite of frontpage stuff). From what little info I have found, the cgi scripts then authenticate the user it is already running as from some info stashed away in some *.pwd files. I found no authentication in the frontpage module or in fpexe.c. >From the information I have about how it operates, I don't understand why the server must be run as root. Also I don't understand how the frontpage cgi's could authenticate from files with safe permissions if they are indeed being run from a wrapper which sets appropriate uid/gid before launching them. I found a recent posting in -security that mentioned that the authentication files must be readable by the uid of the webserver -- but still, if the cgi scripts authenticate themselves and a suid wrapper sets their uid/gid, the uid of the webserver should be out of the picture. I thinking of using it by putting some authentication in the wrapper (via a cookie, I think, and use https) before the setuid()/setgid() are done. At any rate, I wouldn't dare use it as it is until I find some more definitive information about how it authenticates. - Barrett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990102214534.15431A-100000>