Date: Thu, 23 Apr 1998 15:30:03 -0700 (PDT) From: "Scot W. Hetzel" <hetzels@westbend.net> To: freebsd-ports Subject: ports/4878: Apache w/FrontPage Module Port Update/Security Fix Message-ID: <199804232230.PAA09643@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/4878; it has been noted by GNATS. From: "Scot W. Hetzel" <hetzels@westbend.net> To: <freebsd-gnats-submit@freebsd.org> Cc: "FreeBSD-ISP" <FreeBSD-ISP@freebsd.org> Subject: ports/4878: Apache w/FrontPage Module Port Update/Security Fix Date: Thu, 23 Apr 1998 17:28:40 -0500 Please remove the following apache-fp ports files from the /pub/FreeBSD/development/ports directory as they are obsolete: apache-fp.port.tgz apache-fp_125.diff The latest Apache-Fp port is v126.B and is currently located on ftp://ftp.freebsd.org/pub/FreeBSD/incoming 4878.apache-fp.126.b.tgz 4878.apache-fp.126_126.b.diff This version of the apache-fp port corrects the following problems: 1. More checks for correct DES installations. 2. Security Fix for SUEXEC to allow fpexe to by pass it. When suexec+ was included starting with the v125.E port, suexec would run all user cgi programs as root. Which would cause a major security violation. Suexec+ was checking prog ( agrv[0] )= /usr/local/sbin/suexec against FRONTPAGE_EXE = /usr/local/frontpage/version3.0/apache-fp/_vti_bin/fpexe, which always resulted in a value >0 and would then execute any cgi program as root. This problem is now corrected. In stead of using prog, suexec now uses cmd ( argv[3]), and checks if cmd = fpexe. If it does it will then execute fpexe and no other commands. Q. Should I change the uid to HTTPD_USER before I run fpexe? Currently, fpexe is executed with uid=root and gid=www, when executed from suexec. The fpexe executable is suid, also. To compile apache-fp with suexec support: make [build|install] -DSUEXEC [HTTPD_USER=<UID Server Runs as>] NOTE: The default user suexec runs as is "www". So please check your httpd.conf file to determine the user your server is running as. If there are no objections to the port, could somebody please submit it to the Ports Collection? Thanks, Scot W. Hetzel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804232230.PAA09643>