Frontpage suEXEC Hack by Adam Shand

The suEXEC hack allows you to run the Frontpage Server Extensions under a dedicated user account for improved security. It requires knowing how to patch source code and compiling programs.

The good news is that I now have this working almost perfectly and what problems remain appear to be MS/RTR's problems and there isn't that much that can be done about it. For me this is all working with Debian Linux 2.0.30 (I am considering downgrading to 2.0.29 to see if this helps as I keep hearing bad things about 2.0.30), Apache 1.2.1 and the latest version of the Frontpage Extensions as of July 15, 1997.

There are still some catches and I will describe them below and what can be done about them (as far as I know). As I have said on the previous page, a huge amount of thanks and gratitude go to Rick Franchuk for putting up the Frontpage Awareness Page and taking the time to email me about it, so I could get this whole Frontpage nightmare sorted out.

Below are the steps I went through to get it to work on my system:

1. You must complete the steps on the basic Frontpage installation page up to step five.
2. You need to download these files before you can even begin:
   • The sources for Apache
   • The modified suEXEC source (note, I believe that you can actually use the default suexec.c so long as you preload the libraries in the fake stub executables. I'll update this when I've had a chance to test it)
   • The Frontpage Script Alias Patch for Apache.
3. Read carefully through the Apache documentation about suEXEC and the Read me file that comes with suEXEC+. All the suEXEC docs warn very strongly about modifying suexec.c because you may introduce extra security holes unintentionally. It looked okay to me, but then I wouldn't know a security bug if it jumped up and slapped me in the face :).
4. Apply the Script Alias patch to the Apache sources (I had zero problems getting it to work with Apache 1.2.1) and compile Apache. Make sure you include support for any modules you will need to be able to load later. Install (and test) the Apache binary and make sure that your config files are suitably setup for a VirtualHost environment.
5. Set up a VirtualHost for testing purposes and enable suEXEC in your httpd.conf configuration file for that VirtualHost.
6. Install suexec+.c and suexec+.h into the Apache sources support directory as suexec.c and suexec.h and customize them to suit your setup (note, it fooled me the first time round, because I didn't notice that the Frontpage stuff in suexec+.h was commented out!)
7. Compile and install suEXEC and install your new suexec binary to a directory of your choice. Make sure you remember to chown root suexec and chmod 4711 suexec or Apache will barf on you.
8. Now comes the fun stuff. It turns out that a lot of the problems with Frontpage and the WPP Kit are due to the stub executables and their unreliable behaviour. For once, this is actually easy to overcome. The three stub executables (which are kept under the /usr/local/frontpage/version2.0/_vti_bin/ hierarchy) can be replaced with a simple /bin/sh scripts that call the actual extension directory with all the parameters intact. Below is an example simple replacement stub executable for shtml.exe:

   #!/bin/sh
   /usr/local/frontpage/version2.0/extensions/_vti_bin/shtml.exe $*
   

   You should replace the three stub executables with scripts similar to the one above (and make sure to chmod 755 them).
9. Make sure that all the permissions were set correctly (where www is the user your web server runs as, and frontpage is the group you choose to run it as):
   chown -R www.frontpage /usr/local/frontpage
10. Run the fp_install script to install the extensions into your test virtual host: www.frontpage-test.co.nz
11. Make sure that the permissions are set correctly in the new web (where luser is the username of the person who will be editing the web pages via Frontpage, and frontpage is the name of the group you have put all of your Frontpage users into. Remember that the username must be unique for each person/virtual host or you lose many of the benefits that suEXEC provides.):

    chown -R luser.frontpage /var/web/www.frontpage-test.co.nz

12. Run Frontpage 97 to see if it will work. Good luck!

Trouble Shooting

Now you are going to have to debug it until it all works. This wasn't too hard for me with the aid of the log file provided by suEXEC and the Apache error log. I encountered three main problems when I was trying to get this to work the first time.

1. Various small typos (made by me) while customizing the source code. Double check through everything you do to make sure that there are as few mistakes of this kind as possible.
2. Various permissions problems. Make sure that everything under the DocumentRoot of the VirtualHost is owned by the correct user and group (they must match the User and Group directives for suEXEC). This is because suEXEC is fussy about the ownership and permissions of any programs that it will run. All the Frontpage stub executables must be owned (user and group) by the same person you enabled suEXEC for in your httpd.conf configuration file. You must also make sure that none of the stub executables have their SETUID bit set (if you chmod 0755 the file that will remove the SETUID bit), or suEXEC will refuse to run them.
3. I found that if I ran the fp_install script that the three stub executables under the DocumentRoot of the VirtualHost were all hardlinked together. I haven't yet had a chance to figure out why this is happening, but I have written a simple script to tidy up the VirtulHost DocumentRoot after you run fp_install. It's a simple little program I call fp_tidy and seems to do the trick for me. It will need to be slightly customized for your server, but it should be fairly obvious:

    #!/bin/sh
   
   if [ $# -eq "0" ]; then
     echo -e "\nUsage: fp_tidy <Frontpage Virtual Host DocRoot> <owner>"
     echo -e "Example: fp_tidy /var/web/nobody.co.nz larry\n"
     exit 1
   elif [ "$2." = "." ]; then
     echo -e "\nUsage: fp_tidy <Frontpage Virtual Host DocRoot> <owner>"
     echo -e "Example: fp_tidy /var/web/nobody.co.nz larry\n"
     exit 1
   elif [ $# -gt "2" ]; then
     echo -e "\nUsage: fp_tidy <Frontpage Virtual Host DocRoot> <owner>"
     echo -e "Example: fp_tidy /var/web/nobody.co.nz larry\n"
     exit 1
   fi
   
   echo -e "\nTiding up New Frontpage Virtualhost in: "$1
   echo -ne "\nRemoving munted stub executables . . ."
   rm -f $1/_vti_bin/shtml.exe
   rm -f $1/_vti_bin/_vti_aut/author.exe
   rm -f $1/_vti_bin/_vti_adm/admin.exe
   
   echo -ne "\tdone.\nSetting Permissions on stubs . . ."
   chmod 0755 $1/_vti_bin/shtml.exe
   chmod 0755 $1/_vti_bin/_vti_aut/author.exe
   chmod 0755 $1/_vti_bin/_vti_adm/admin.exe
   chown -R $2.frontpage $1
   echo -ne "\t\tdone.\n\n"
   

4. If all else fails, I recommend checking out the Frontpage Awareness Forum first, as it is frequented by many wise and wonderful people :).