Received: (from majordom@localhost) by hyperreal.org (8.8.5/8.8.5) id XAA27510; Sun, 10 Aug 1997 23:19:36 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hyperreal.org (8.8.5/8.8.5) with ESMTP id XAA27505 for ; Sun, 10 Aug 1997 23:19:33 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id AAA29734 for new-httpd@hyperreal.org; Mon, 11 Aug 1997 00:19:30 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id AAA03304 for ; Mon, 11 Aug 1997 00:19:07 -0600 (MDT) Date: Mon, 11 Aug 1997 00:19:07 -0600 (MDT) From: Marc Slemko To: new-httpd@hyperreal.org Subject: frontpage 98 server extensions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Hehe. fp98 betas are available now. They say they don't support Apache 1.2; they support 1.1.3 and 2.0. I wish all these people with 2.0 would let us see a copy since it may speed it up a bit... Or is this just a part of Microsoft's hidden plot to take over Apache? Hmm. Looking through the source, they now provide a mod_frontpage. +CFLAGS=$(OPTIM) $(CFLAGS1) $(EXTRA_CFLAGS) -DSERVER_SUBVERSION='"FrontPage"' Snicker. Still playing with source: - char *filename; + char *execfilename; /* physical filename to exec */ + char *filename; /* logical filename to exec -- always the same + except for FrontPage CGI programs where we + will execute the CGI program in /usr/local/fr ontpage.... + */ They now add a key written to disk, presumably to authenticate that the server is actually the one talking to the setuid program. I'm not qualified to comment on the cryptographic validity of their code except to say I don't like the looks of it. They are using C++ comments in a C module. They are now checking explicitly for frontpage-like CGI paths in their filename translation handler and have hardcoded translations. Guess this means you don't need a copy of all their CGI crap for each user. They have a setuid binary that apparently checks to be sure it is being called from Apache using their key file before switching UIDs. No source. I don't trust it. Uses the following ScriptAliases: ScriptAlias /~/_vti_bin/ /~/_vti_bin/ ScriptAlias /~/_vti_bin/_vti_aut/ /~/_vti_bin/_vti_aut/ ScriptAlias /~/_vti_bin/_vti_adm/ /~/_vti_bin/_vti_adm/ MS says: The FrontPage Server Extensions do not require root access at any time. yea, they just need a program that they don't provide source for that is setuid root. I may be taking a closer look at them later. At first glance, they look better than the old version but still darn scary...