Date: Sun, 3 Jan 1999 12:35:35 -0600 From: "Scot W. Hetzel" <hetzels@westbend.net> To: "Barrett Richardson" <terbart@aye.net>, "Erick Baum" <cc@gvn.net> Cc: "FreeBSD-Current" <FreeBSD-Current@FreeBSD.ORG> Subject: Re: FrontPage Extensions Message-ID: <00ea01be374a$b11fa020$1acb2e9c@westbend.net> References: <Pine.BSF.3.96.990102214534.15431A-100000@phoenix.aye.net>
next in thread | previous in thread | raw e-mail | index | archive | help
From: Barrett Richardson <terbart@aye.net> > On Sat, 2 Jan 1999, Erick Baum wrote: > > > I've seen some previous posts about the FrontPage Extensions for FreeBSD > > opening up some major security holes. Can someone tell me what kind of > > security issues they are? > > > > Also, I have been having trouble getting the extensions to work on FreeBSD > > 2.2.6. Does anyone know if there is something special I have to do? > > > > Any input is appreciated. Thanks. > > > > -Erick > > > > I was digging thru the frontpage module and discovered that it wants > a geteuid() == 0 before it will launch any of the cgi's that will > do glorious things for your users. The cgi's end up running on > behalf of a user, but the mechanism (as much of it as I understand) > that makes that happen leaves opportunity for problems. The module > checks the ownership of a "webroot" directory (appears to be the > document root from the little I've seen thus far) and compares > it to the ownership of /_vti_pvt and sees if they match. If they > do, environment variables FPUID and FPGID are set to the uid and > gid of these directories. A suid wrapper, fpexe, sets its > uid and gid based on FPUID and FPGID that it inherited from the > webserver. The wrapper, fpexe, only can run a predetermined set > of progs (the suite of frontpage stuff). From what little info > I have found, the cgi scripts then authenticate the user it is > already running as from some info stashed away in some *.pwd > files. I found no authentication in the frontpage module or > in fpexe.c. > That is because the FP module uses the authentication methods of the Apache Server. > From the information I have about how it operates, I don't > understand why the server must be run as root. Also I don't > understand how the frontpage cgi's could authenticate from > files with safe permissions if they are indeed being run > from a wrapper which sets appropriate uid/gid before launching > them. I found a recent posting in -security that mentioned > that the authentication files must be readable by the > uid of the webserver -- but still, if the cgi scripts > authenticate themselves and a suid wrapper sets their > uid/gid, the uid of the webserver should be out of the > picture. The uid of the server doesn't matter, I have my server runnig as user/group www. But the Apache server still needs to be able to read the contents of the root/user/virtual webs so that it can send the proper file to the browser or frontpage client. > > I thinking of using it by putting some authentication in > the wrapper (via a cookie, I think, and use https) before > the setuid()/setgid() are done. At any rate, I wouldn't > dare use it as it is until I find some more definitive > information about how it authenticates. > No need as authentication is done by the Apache server. Also, if you are going to let users/virual webs have access to the FP Exts, it is best to install the suexec program to prevent any security holes from users running their own CGI programs. Currently, the FP Exts are run as CGI scripts, with out the "Options ExecCGI" added to the user/virtual web Directory directive they will not run. Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ea01be374a$b11fa020$1acb2e9c>