Re: FrontPage + Apache + FreeBSD

[mibsoft () mibsoftware com (Forrest J. Cavalier III)]

I just looked into many FP problems (Apache on Linux box with
lots of virutal hosts.)

Here's the short story: the FP client does not do access control.
Apache provides the access control.  (Who would want to trust
FP?)

1. A install of FP for a virtual host places the appropriate
   .htaccess and service.pwd and service.grp files.

2. The access control is to protect SUID executables which FP
   uses to make changes, updates, etc.  Even if something
   were wrong with the .htaccess setup, the SUID executables
   would prevent making changes to other accounts or directories.

   (You do have separate UIDs for each virtual domain, don't you?)

I'd like to get some answers to FP problems as well, but they
don't have to do with security.

Let me know if I misunderstood what you were explaining.

Forrest J. Cavalier III, Mib Software  Voice 570-992-8824
The Reuse RKT: Efficient awareness for software reuse: Free WWW site
lists over 3000 of the most popular open source libraries, functions,
and applications.  http://www.mibsoftware.com/reuse/


[snip]
> We run apache web servers with FrontPage Extensions compiled in as a
> module and have noticed that when using virtual hosts their is a huge
> security issue.  When using the "ServerAlias" directive on a virtual
> domain, the alias will work fine on the web, however if you try to open
> FrontPage and use the aliases name (and "list webs") the extensions will
> display the servers root web, not the virtual root web.  Usually this
> wouldn't harm anything however I've found that if you try and open the
> root web using the aliased domain it will use the aliased domain's
> permissions and open the root web.
[snip]