httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregory A Lundberg <lundb...@vr.net>
Subject Re: general/2270: Required Patches to Apache sources for FrontPage Module (fwd)
Date Tue, 26 May 1998 00:37:02 GMT
On Mon, 25 May 1998, Dean Gaudet wrote:

> This is only for the frontpage .exe files right?  i.e. the response is
> expected to be text/html anyhow... I mean, suexec can be used for
> arbitrary responses, so I really hope it doesn't send back text/html error
> stuff... it should only send back "Status: 500" I'd say.

Only for Frontpage AFAIK.  I'd hope most other packages will accept normal
status codes.  As I said, this will need to be configurable.

> I don't think the handle depletion bugs me too much... although it is
> hard to set up the filedescriptor for it portably.

I just don't see that it adds that much to the security for a reasonably
competent Unix machine owner.  But that's just me .. if there's enough
call for it I'd leave it in.  I do know there's a few complaints about it
on RtR's Frontpage support site.

> > Only one problem: this all depends upon having mod_auth, .htacess files,
> > group and user (htpasswd) files.  What happens if one of these isn't
> > there?  Why we let _anyone_ .. that's right .. anyone in the world .. have
> > at our nice Frontpage (or whatever) CGIs.  That sucks raw eggs at MACH 9
> > through a straw doesn't it?  All this work making things secure and some
> > dumb user FTPs in and DELEtes his .htaccess file blowing it all away.  So
> > we need one last change: we need to be ABSOLUTELY SURE _this_ URL was
> > approved through mod_auth with a valid .htaccess and a valid password
> > challenge and response. 
> 
> Oh wow.

You can imagine what I said when I saw it.  I noticed it when a user did
an rdist() from a Linux gateway box to my web site where the rdist was
from a network (SMB) mounted share from an NT IIS Frontpage server.
Needless to say, it was surprising to see NT *.dll files and no .htaccess
or other Apache/Unix-port glue.

> It all sounds reasonable... although the suexec folks probably will
> want to chime in.  OK, so I'm not a windows user, and I've never used
> FrontPage.  I've always assumed it is just a glorified PUT mechanism
> done microsoft's way.  How does it differ from PUT?

It POSTs a double html document.  The first is the Frontpage description
for the document ( <docdir>/_vti_cnf/<docname> ) and the second is the
document itself ( <docdir>/<docname> ).  There's a bit of post-processing
possible for doc-to-doc references.  I think that's done in the Frontpage
client too, but I've not looked at it enough to be sure.  I know the
author.exe and fpsrvadm.exe (Unix command-line server admin tool) can
recalculate the entire web's cross-reference, just not what kicks that
process off.

> You see what I'd like to see is an add-on to apache which makes it
> trivial for admins to set up sites so that IE or Netscape users can
> easily create and edit documents/images/etc.  I'm not sure what are the
> best tools to make this happen though... on my own site I just force
> everyone to learn ftp, because I can't be bothered to learn all the rest
> of the stuff required.

My concern is Frontpage support right now..  I've not looked at what it
would take for other packages/methods.  I agree though that a clean add-on
for Netscape (does IE do page editing?) would be very nice.

----

Gregory A Lundberg		Senior Partner, VRnet Company
1441 Elmdale Drive              lundberg@vr.net
Kettering, OH 45409-1615 USA    1-800-809-2195


Mime
View raw message