httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject MS releases "fixed" FP98 Apache extensions
Date Wed, 22 Oct 1997 23:10:32 GMT
MS has released a new version.  I will comment more in a few days
after I have time to review them, but they look better from MS's
description.  Still downloading their massive tar file that shows
they don't know about links (after all, no real OS supports links...
something like tar certainly could never handle them.  It is too
old; "shortcuts" are an MS invention and nothing similar existed
before), since their link to the source on the web gives
a 404.

>From http://www.microsoft.com/frontpage/wpp/serk/install.htm#UNIX_ApachePatch :

  Because the fpexe stub program must be suid root to be able to
  change user IDs to the owner of the web, numerous security checks
  are performed in order to prevent this stub program from being used
  as a security hole. Checks are performed to validate:

      Proper ownership and permissions of the fpexe program and its directory 

      Proper ownership and permissions of the Server Extensions CGI
      executables and their directories

      The user ID of the web content area being authored 

      The group ID of the web content area being authored 

      That only the FrontPage Server Extensions CGI executables are
      being executed and not other CGI programs on the system

      That the environment variables are cleaned (including the PATH)
      and passed only if the variable is on a pre-selected approved
      list

      That a 128 byte key value that is dynamically generated when
      the web server process is initialized is passed to the fpexe
      program and validated, ensuring that only the web server is
      able to run fpexe.

  The 128 byte key value is generated dynamically when the web server
  is initialized and stored for validation purposes in a suidkey.*
  file that is readable and writeable only by root and is stored in
  a directory that is readable only by root.  The suidkey.* file can
  be written with root-only permissions because the web server process
  runs as root during initialization, and only switches to another
  user ID (such as "www") after initialization is completed.  The
  suidkey.* filename suffix is the process group ID of the web server.

  The contents of the dynamic key value are generated during web
  server initialization based on a permutation of the output of the
  process status (ps) command, and are then XOR'ed with the contents
  of an administrator-controlled custom key file stored in
  /usr/local/frontpage/currentversion/apache-fp/suidkey.  This custom
  key file must exist, be owned and readable only by root, and contain
  at least 8 bytes of data.  The contents of the custom key file
  should be changed regularly by the server administrator and the
  server restarted to protect the key value.

  When a request is processed by the FrontPage Apache module to invoke
  the FrontPage Server Extensions CGI executables, the module performs
  preliminary validation of the request and redirects the request to
  the fpexe stub program.  The 128-byte key value generated when the
  server was initialized is passed to fpexe through a pipe and thus
  is not visible in the program environment.  The 128-byte key value
  is read by fpexe from the pipe, and then compared to the contents
  of the dynamically generated suidkey.* file that was created when
  the web server was initialized.  Since fpexe is suid root it is
  capable of accessing the contents of the suidkey.* file.  Assuming
  that the suidkey.* file still has correct permissions (readable
  only by root in a directory readable only by root), and assuming
  that the 128 byte key value matches, then fpexe performs additional
  checks to validate the user ID, the group ID, and ownership of the
  target FrontPage Server Extensions CGI executables.  If all checks
  pass then fpexe switches the user and group IDs to that of the web
  content owner and then runs the FrontPage Server Extensions CGI
  executables.  If any of these checks fail, an error is written to
  the web server log and the Server Extensions are not run.


Mime
View raw message