[ale] need advice on adding frontpage ext to Apache

Mike Fletcher fletch at phydeaux.org
Fri Dec 18 16:52:14 EST 1998


>>>>> "michael" == michael mcdermott <m at wroth.com> writes:

	First off, to correct myself on the 1.2 thing there does
appear to be an apache 1.3 version of the extension available.

    michael> Actually, no, it can run as any user, it is just
    michael> recommended that it run at higher permissions than the
    michael> webserver, we set up ours to run as the ftp user.

	Well, I poked around http://www.microsoft.com/FrontPage/wpp/SERK/
some and found the following quotes:

"The FrontPage Server Extensions do not require root access at any
time."

"Because the fpexe stub program must be suid root to be able to change 
user IDs to the owner of the web, ..."


	It appears that if you install their patch to apache you have
to run apache as root (BAD IDEA), and if you don't install their patch
you have to put suid copies of the fp executables in every user
accounts.  Not to mention it looks like their "random" numbers are
coming from some combination of XORing a key from a file (generated
from the output of ps at install time (and we all know that ps
generates random sequences of 8bit characters really well)) with some
combination of the time of day and munged output from:


"/bin/ps laxww | /usr/bin/sum ; /bin/ps laxww | /usr/bin/sum"


	At any rate, _I'M_ certainly never installing them on a
machine I run if I have any say it.

-- 
Fletch                |                                            __`'/|
fletch at phydeaux.org   |       "I drank what?" -- Socrates          \ o.O'
678 443-6239(w)       |                                            =(___)=
                      |                                               U






More information about the Ale mailing list