[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Cobalt wishlist

Subject: Re: [cobalt-users] Cobalt wishlist
From: Chris Adams <cmadams@xxxxxxxxxx>
Date: Wed Apr 5 14:51:56 2000

Once upon a time, Will DeHaan <will@xxxxxxxxxx> said:
> Paul Schreiber wrote:
> > --- Chris Adams <cmadams@xxxxxxxxxx> wrote:
> > > > You *are* aware that any site web can turn CGI and SSI back on at will
> > > > when they are turned off in the GUI by default...? (bu simply adding
> > > handlers
> > > > in .htaccess, unless you intentionally make it non readable to the user)
> > >
> > > There is a security hole here too (I reported it over a month ago and
> > > they said they are working on a fix, but they haven't released one yet).
> > >
> > > Part of the problem is that the wonderful FrontPage extensions require
> > > "AllowOverride All" in the web config file.
> > 
> > Report it to bugtraq. That'll get it fixed -real- fast. :-)
> 
> Oh please don't, we're testing multiple changes for Frontpage to fix
> this problem and I don't want to rush anything to you before it's well
> tested.

That's why I haven't pressed it.  The _last_ thing I want with the mess
that is FrontPage (I don't mean Cobalt's version, I mean FP in general)
is a "quick fix" to a problem.

> Frontpage site web content will undergoe an ownership change from httpd
> to nobody.  Group ownership as-is.  I'm trying out some other changes as
> well, like selectively enabling "AllowOverride All" to only sites
> regions with the FPX enabled.  Non-trivial, and a very hard change to
> make in the field on a live system without breaking frontpage services.

That is definately a tough one.  I think I have some users that have
added additional MIME types with AddType (like someone wanted .doc to be
application/ms-word or some such), and that requires AllowOverride
FileInfo to be set, which is where part of the problem comes from.  If
you want to go this way (which I would like because it is at least
somewhat more secure), maybe you could include an extra "user.types"
file (in /etc/httpd/conf included by httpd.conf) so that admins could
put extra AddType commands in it and they wouldn't be overwritten by an
Apache upgrade.

There may also be some users using mod_perl or avoiding cgiwrap with
.htaccess file entries.  I wouldn't consider that a supported
configuration though.

> So, inter-site frontpage web data access through shared user "httpd"
> access through .htaccess enabled scripting will be eliminated.  If
> possible we'll put the clamps down on AllowOverride.

If you look, FrontPage doesn't really _need_ AllowOverride All.  They do
just a couple of things: AuthConfig stuff and say "Options None" in a
few places (for no real good reason).  If the Options None part could be
removed from FrontPage (or maybe just make Apache ignore it if it isn't
allowed), then "AllowOverride AuthConfig Indexes Limit" should work
server-wide.  That would make things a lot more "controlled" and make me
feel a lot better.
-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.

References:
- Re: [cobalt-users] Cobalt wishlist
  - From: Paul Schreiber
- Re: [cobalt-users] Cobalt wishlist
  - From: Will DeHaan

Prev by Date: Re: [cobalt-users] Cobalt wishlist
Next by Date: RE: [cobalt-users] Using Qube behind Cayman Router
Previous by thread: Re: [cobalt-users] Cobalt wishlist
Next by thread: RE: [cobalt-users] Cobalt wishlist

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index