I just looked into many FP problems (Apache on Linux box with lots of virutal hosts.) Here's the short story: the FP client does not do access control. Apache provides the access control. (Who would want to trust FP?) 1. A install of FP for a virtual host places the appropriate .htaccess and service.pwd and service.grp files. 2. The access control is to protect SUID executables which FP uses to make changes, updates, etc. Even if something were wrong with the .htaccess setup, the SUID executables would prevent making changes to other accounts or directories. (You do have separate UIDs for each virtual domain, don't you?) I'd like to get some answers to FP problems as well, but they don't have to do with security. Let me know if I misunderstood what you were explaining. Forrest J. Cavalier III, Mib Software Voice 570-992-8824 The Reuse RKT: Efficient awareness for software reuse: Free WWW site lists over 3000 of the most popular open source libraries, functions, and applications. http://www.mibsoftware.com/reuse/ [snip] > > We run apache web servers with FrontPage Extensions compiled in as a > module and have noticed that when using virtual hosts their is a huge > security issue. When using the "ServerAlias" directive on a virtual > domain, the alias will work fine on the web, however if you try to open > FrontPage and use the aliases name (and "list webs") the extensions will > display the servers root web, not the virtual root web. Usually this > wouldn't harm anything however I've found that if you try and open the > root web using the aliased domain it will use the aliased domain's > permissions and open the root web. [snip]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:04 PDT