72 lines
2.8 KiB
Text
72 lines
2.8 KiB
Text
===========================================================================
|
|
$NetBSD: MESSAGE,v 1.2 2005/09/28 14:24:39 rillig Exp $
|
|
|
|
0) IMPORTANT
|
|
|
|
mod_frontpage still has some security issues. Some buffer
|
|
overflows have been fixed, but since it depends on ENV[]
|
|
variables, a local user can still gain a UID of another user.
|
|
This is a design issue of the Microsoft FrontPage software..
|
|
|
|
Check carefully that the Makefile has FP_UID_MIN and
|
|
FP_GID_MIN set correctly. If you think security is
|
|
very important for you, you shouldn't run frontpage
|
|
at all.
|
|
|
|
1) Check your httpd.conf, if you have included a ResourceConfig
|
|
and AccessConfig. If you do not have these files, you'll have
|
|
to add these lines to make frontpage extensions working properly.
|
|
These lines are commented out in a default config, so you'll
|
|
have to activate them again. If you have some real ResourceConfig
|
|
and AccessConfig, you can skip this part.
|
|
|
|
ResourceConfig /dev/null
|
|
AccessConfig /dev/null
|
|
|
|
|
|
2) You'll also need to change AllowOverride under
|
|
<Directory "${PREFIX}/www/data"> ( or the place where you
|
|
moved your webservers ) from None to at least:
|
|
|
|
AllowOverride AuthConfig Limit Indexes Options
|
|
|
|
Don't use "AllowOverride All" if you have a server environment
|
|
with customers, since this can be a security risk If you use
|
|
this, they can enable mod_php4 etc. themself with .htaccess
|
|
files.
|
|
|
|
|
|
3) You can turn off/on the extensions and the frontpage
|
|
administration per site in httpd.conf and per virtual server.
|
|
FrontPageAdminDisable is the default if no option is given.
|
|
|
|
FrontPageEnable # Enable FP Extensions Client publish
|
|
FrontPageDisable # Disable FP Extensions Client publish
|
|
FrontPageAdminEnable # Enable FP Extensions Admin web site
|
|
FrontPageAdminDisable # Disable FP Extensions Admin web site
|
|
|
|
If no key word options are present in the httpd.conf file the
|
|
default of FrontPageDisable and FrontPageAdminDisable is used
|
|
resulting in a working Apache environment where the complete
|
|
frontpage environment is disabled.
|
|
|
|
|
|
4) After you have made these changes, you'll have to execute:
|
|
|
|
${PREFIX}/frontpage/version5.0/fp_install.sh to build the base
|
|
apache/frontpage web site and to setup frontpage users and
|
|
admins. You can also run this to add virtual hosts to the
|
|
apache/frontpage system.
|
|
|
|
|
|
5) If you have installed the frontpage software in another PREFIX
|
|
than "/usr/local" you have to create a symlink. Microsoft has
|
|
hardcoded the local path in their binaries. If you do not use
|
|
fp_install.sh, you have to create the link manually:
|
|
|
|
ln -s ${PREFIX}/frontpage /usr/local/frontpage
|
|
|
|
If you didn't catch all of the above, try:
|
|
pkg_info -D ap-frontpage | more
|
|
|
|
===========================================================================
|