You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/07/12 20:07:47 UTC

Re: User Root Frontpage Fun

> Tee hee.  Er, 1.2.1 won't allow "User root" either.
> 
> I seem to recall Cliff and I coming up with a solution for front page...
> but I forget what it was because I forget what the heck front page wants
> root for.

It wants root so users can reboot your machine when they wish... :-)



> Dean
> 
> On Fri, 11 Jul 1997, Mark J Cox wrote:
> 
> > I was digging around trying to find some reasons why Frontpage is a bad
> > idea and I came across this message sent to www-security about a year ago. 
> > 
> > I wonder how many web admins took the first option and added "User Root" 
> > to their config files?  I guess we'll find out when 1.3 is released and
> > it stops working :)
> > 
> > Mark
> > 
> > > Cc: www-security@ns2.rutgers.edu
> > > Subject: Re: Security aspects of Microsoft FrontPage server extensions? 
> > > Date: Thu, 08 Aug 1996 12:40:06 -0500
> > ...
> > >7. Here's a quote straight from the version 1.1 installation
> > >instructions under the section "Restarting the Server":
> > >
> > >    2. The FrontPage Server Extensions run under the server as a CGI
> > >    program.  In order for the FrontPage Server Extensions to send the
> > >    restart signal to the HTTP server, the server's CGI programs must run
> > >    under the same user account as the HTTP server itself.  Your choices
> > >    are:
> > >     
> > >    - Run both HTTP server and CGI scripts as root.  In this case, the
> > >      UserId (if CERN) or User (if NCSA or Apache) field in your httpd.conf
> > >      file should be set to root, and you should launch the server as root.
> > >      This scheme is not necessarily a good idea however; for maximum UNIX
> > >      security, as few things as possible should run as root.  See "Security
> > >      Issues" below for more details.
> > >     
> > >    - Run both HTTP server and CGI scripts as the FrontPage user.  In this
> > >      case, the UserId and User fields are ignored.  This is the best
> > >      scheme, but it will not work if your server runs on a protected port.
> >      
> > 
> > 
> > 
> > 
> >

Re: FrontPage mod_alias fiddling

Posted by Brian Behlendorf <br...@organic.com>.

At 12:45 PM 7/13/97 +1100, Gary Wisniewski wrote:
>It annoys me that Microsoft advises you to hack up your
>existing Apache directives, rather than simply adding a module
>themselves.  So, I actually created a module called
>	mod_fpalias.c
>which makes this legal:
>	FpScriptAlias */bin webuser
>
>Essentially, I cleaned-up Microsoft's hacks and put together
>a reasonable module which does the same thing. I don't like changing the
>meaning of existing directives.
>
>One of the *good* things about Microsoft's change is that,
>assuming you have it installed, FP no longer requires
>server restart (or Root privs) to have the extensions operate
>properly.  
>
>Would it be useful to create a doc page on FP extensions,
>and this sort of stuff, including mod_fpalias?

Definitely.  I'd be up for hosting the module in /dist/contrib, and having
a tutorial on "using FrontPage with Apache" on the apache web site; or if
hosted elsewhere, a semi-prominent link, say from related_projects.html.  

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL           brian@organic.com - hyperreal.org - apache.org

Re: FrontPage mod_alias fiddling

Posted by Dean Gaudet <dg...@arctic.org>.

On Sun, 13 Jul 1997, Gary Wisniewski wrote:
> 	ScriptAlias */bin

Isn't this the same as:

<Location ~ ".*/bin/">
    SetHandler cgi-script
    Options +ExecCGI
</Location>

?

I guess Microsoft just lets people put the cgis right into the document
hierarchy.  But should you want to move them around, Alexei's latest
AliasMatch stuff can be combined with the above.

> But also adds
> 	ScriptAlias */bin webuser

And this could be implemented by the above and adding a module that checks
the ownership of a file.  In fact, such a module could be a good place to
deal with all of the various SymLinksIfOwnerBlahBlah hacks we've had float
around. 

Dean

FrontPage mod_alias fiddling

Posted by Gary Wisniewski <ga...@spidereye.com.au>.

Has anybody considered putting the FrontPage ScriptAlias
extensions into mod_alias.c?

Basically, when you get the newest FP extensions, it hacks
into the Apache sources during installation to allow things
like:
	ScriptAlias */bin
But also adds
	ScriptAlias */bin webuser

Essentially, in addition to adding the wildcards for ScriptAlias,
it also checks that cgi scripts are owned by "webuser" (or
any user, specifically) and refuses to run them otherwise.

It annoys me that Microsoft advises you to hack up your
existing Apache directives, rather than simply adding a module
themselves.  So, I actually created a module called
	mod_fpalias.c
which makes this legal:
	FpScriptAlias */bin webuser

Essentially, I cleaned-up Microsoft's hacks and put together
a reasonable module which does the same thing. I don't like changing the
meaning of existing directives.

One of the *good* things about Microsoft's change is that,
assuming you have it installed, FP no longer requires
server restart (or Root privs) to have the extensions operate
properly.  

Would it be useful to create a doc page on FP extensions,
and this sort of stuff, including mod_fpalias, or perhaps
a modified mod_alias which does what Microsoft wants?

Opinions?

Gary


------------------------------
Gary Wisniewski
Spider Eye Studios Pty. Ltd., Australia, +61 3 9415 6700
[Formerly GUI Online Productions]