httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregory A Lundberg <lundb...@vr.net>
Subject Re: general/2270: Required Patches to Apache sources for FrontPage Module (fwd)
Date Sun, 24 May 1998 15:59:28 GMT
On Sun, 24 May 1998, Ben Laurie wrote:

> Is this an Alias done the hard way?

Almost.  They just want an alias-done-the-hard-way that runs their badly
re-written version of suEXEC so it can only suEXEC the programs they say
it should.  It all looks like an attempt to work arround IIS's problems on
Windows instead of realizing they're running Apache on Unix.

The only hard thing they're doing is aliasing/suEXEC'ing as the target
user where the directory structure exists (so you can .htaccess it) but
the program is somewhere else and owned be someone else.

In actual point of fact, what Frontpage needs _is_ a _very_ good idea. 
It's just the way they went about it that's dumb.  Here's what they want
to do:

~fpuser/public-html
	.htaccess
	*.html etc
	_vti_bin
		.htaccess
		_vti_aut
			.htaccess
		_vti_adm
			.htaccess
	_vti_pvt
		.htaccess
		services.cnf

/usr/local/frontpage/exes/_vti_bin
	shtml.exe
	_vti_aut
		author.exe
	_vti_adm
		admin.exe

When you get a URL for www.here.com/~fpuser/_vti_bin/shtml.exe or, in this
case, probably an SSI, they want the .htaccess in public-html and _vti_bin
to determine access, THEN they want the target aliases to the common
location (/usr/.../shtml.exe) and they want the suEXEC check to be against
some other file (~.../services.cnf) since the named target doesn't really
exist.

ISTM, if you carefully go through the bugdb, there's other requests to do
something like this in a more general way.  If there isn't, there should
be, it's a good idea.  Just not the way RtR did it, at least not without
someone who really understands Apache and the current modules involved. 

They used to do all this with a wild-card ScriptAlias patch but that
required -HUPing the server whenever you added a new FP user and that got
them a lot of complaints so they're trying a module to basically do the
same thing and, while they're at it, use something like suEXEC (a lot like
it if you remove the junk they added) to bump the security up a tad.

> Who are RtR?

Ready-to-Run Software is a Unix porting shop hired by Microsoft.
Frontpage was originally bought from someone called Vermeer (and still
shows that by the names of the files and the command protocol passed
through CGI.

----

Gregory A Lundberg		Senior Partner, VRnet Company
1441 Elmdale Drive              lundberg@vr.net
Kettering, OH 45409-1615 USA    1-800-809-2195


Mime
View raw message