The Microsoft FrontPage server extensions store their configuration files underneath the document root for the web server. In a multi-user configuration (i.e. an ISP), this is typically the public_html subdirectory of a user's home. One of the directories it creates for configuration information is '_vti_pvt', in which it creates a file 'service.pwd' containing username:cryptpw, one line per user. _vti_pvt is created 0775 and service.pwd is created 0664. Removing group-write or world-read permissions breaks the extensions (you can no longer log in). The world-read setting is bad (let's hope most users don't use the same login password as they do for FrontPage, sigh), and the group-write is even worse (again I point to the typical ISP setup). Since the cgi-bin programs execute setuid to the user the extensions belong to, there is no reason for them to be set this way. I have a feeling Microsoft is simply sloppy in their use of open() flags. (they had a problem with needing httpd.conf to be world-writable(!) that just recently got fixed) I don't know the other implications of having _vti_pvt (and the other config files it contains) group-writable. Because the software is setuid, it is quite possible that there's a way to compromise the accounts of anyone using FrontPage. This was tested against the latest version (3.0.2.1117) on an Apache server under Solaris. Basic understanding of UNIX file permissions should be a prerequisite to shoving software down ISPs' throats. -- Dave Pifke, daveat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:35 PDT