You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@worldgate.com> on 1997/10/23 01:10:32 UTC
MS releases "fixed" FP98 Apache extensions
MS has released a new version. I will comment more in a few days
after I have time to review them, but they look better from MS's
description. Still downloading their massive tar file that shows
they don't know about links (after all, no real OS supports links...
something like tar certainly could never handle them. It is too
old; "shortcuts" are an MS invention and nothing similar existed
before), since their link to the source on the web gives
a 404.
>From http://www.microsoft.com/frontpage/wpp/serk/install.htm#UNIX_ApachePatch :
Because the fpexe stub program must be suid root to be able to
change user IDs to the owner of the web, numerous security checks
are performed in order to prevent this stub program from being used
as a security hole. Checks are performed to validate:
Proper ownership and permissions of the fpexe program and its directory
Proper ownership and permissions of the Server Extensions CGI
executables and their directories
The user ID of the web content area being authored
The group ID of the web content area being authored
That only the FrontPage Server Extensions CGI executables are
being executed and not other CGI programs on the system
That the environment variables are cleaned (including the PATH)
and passed only if the variable is on a pre-selected approved
list
That a 128 byte key value that is dynamically generated when
the web server process is initialized is passed to the fpexe
program and validated, ensuring that only the web server is
able to run fpexe.
The 128 byte key value is generated dynamically when the web server
is initialized and stored for validation purposes in a suidkey.*
file that is readable and writeable only by root and is stored in
a directory that is readable only by root. The suidkey.* file can
be written with root-only permissions because the web server process
runs as root during initialization, and only switches to another
user ID (such as "www") after initialization is completed. The
suidkey.* filename suffix is the process group ID of the web server.
The contents of the dynamic key value are generated during web
server initialization based on a permutation of the output of the
process status (ps) command, and are then XOR'ed with the contents
of an administrator-controlled custom key file stored in
/usr/local/frontpage/currentversion/apache-fp/suidkey. This custom
key file must exist, be owned and readable only by root, and contain
at least 8 bytes of data. The contents of the custom key file
should be changed regularly by the server administrator and the
server restarted to protect the key value.
When a request is processed by the FrontPage Apache module to invoke
the FrontPage Server Extensions CGI executables, the module performs
preliminary validation of the request and redirects the request to
the fpexe stub program. The 128-byte key value generated when the
server was initialized is passed to fpexe through a pipe and thus
is not visible in the program environment. The 128-byte key value
is read by fpexe from the pipe, and then compared to the contents
of the dynamically generated suidkey.* file that was created when
the web server was initialized. Since fpexe is suid root it is
capable of accessing the contents of the suidkey.* file. Assuming
that the suidkey.* file still has correct permissions (readable
only by root in a directory readable only by root), and assuming
that the 128 byte key value matches, then fpexe performs additional
checks to validate the user ID, the group ID, and ownership of the
target FrontPage Server Extensions CGI executables. If all checks
pass then fpexe switches the user and group IDs to that of the web
content owner and then runs the FrontPage Server Extensions CGI
executables. If any of these checks fail, an error is written to
the web server log and the Server Extensions are not run.