Frontpage suEXEC Hack
The suEXEC hack allows you to run the Frontpage Server Extensions under a dedicated user account for improved security. It requires knowing how to patch source code and compiling programs.
The good news is that I now have this working almost perfectly and what problems remain appear to be MS/RTR's problems and there isn't that much that can be done about it. For me this is all working with Debian Linux 2.0.30 (I am considering downgrading to 2.0.29 to see if this helps as I keep hearing bad things about 2.0.30), Apache 1.2.1 and the latest version of the Frontpage Extensions as of July 15, 1997.
There are still some catches and I will describe them below and what can be done about them (as far as I know). As I have said on the previous page, a huge amount of thanks and gratitude go to Rick Franchuk for putting up the Frontpage Awareness Page and taking the time to email me about it, so I could get this whole Frontpage nightmare sorted out.
Below are the steps I went through to get it to work on my system:
- You must complete the steps on the basic Frontpage installation page up to step five.
- You need to download these files before you can even begin:
- Read carefully through the Apache documentation about suEXEC and the Read me file that comes with suEXEC+. All the suEXEC docs warn very strongly about modifying
suexec.cbecause you may introduce extra security holes unintentionally. It looked okay to me, but then I wouldn't know a security bug if it jumped up and slapped me in the face :).
- Apply the Script Alias patch to the Apache sources (I had zero problems getting it to work with Apache 1.2.1) and compile Apache. Make sure you include support for any modules you will need to be able to load later. Install (and test) the Apache binary and make sure that your config files are suitably setup for a VirtualHost environment.
- Set up a VirtualHost for testing purposes and enable suEXEC in your
httpd.confconfiguration file for that VirtualHost.
suexec+.hinto the Apache sources
suexec.hand customize them to suit your setup (note, it fooled me the first time round, because I didn't notice that the Frontpage stuff in
suexec+.hwas commented out!)
- Compile and install suEXEC and install your new
suexecbinary to a directory of your choice. Make sure you remember to
chown root suexecand
chmod 4711 suexecor Apache will barf on you.
- Now comes the fun stuff. It turns out that a lot of the problems with Frontpage and the WPP Kit are due to the stub executables and their unreliable behaviour. For once, this is actually easy to overcome. The three stub executables (which are kept under the
/usr/local/frontpage/version2.0/_vti_bin/hierarchy) can be replaced with a simple
/bin/shscripts that call the actual extension directory with all the parameters intact. Below is an example simple replacement stub executable for shtml.exe:
#!/bin/sh /usr/local/frontpage/version2.0/extensions/_vti_bin/shtml.exe $*You should replace the three stub executables with scripts similar to the one above (and make sure to
- Make sure that all the permissions were set correctly (where
wwwis the user your web server runs as, and
frontpageis the group you choose to run it as):
chown -R www.frontpage /usr/local/frontpage
- Run the
fp_installscript to install the extensions into your test virtual host:
- Make sure that the permissions are set correctly in the new web (where
luseris the username of the person who will be editing the web pages via Frontpage, and
frontpageis the name of the group you have put all of your Frontpage users into. Remember that the username must be unique for each person/virtual host or you lose many of the benefits that suEXEC provides.):
chown -R luser.frontpage /var/web/www.frontpage-test.co.nz
- Run Frontpage 97 to see if it will work. Good luck!
Now you are going to have to debug it until it all works. This wasn't too hard for me with the aid of the log file provided by suEXEC and the Apache error log. I encountered three main problems when I was trying to get this to work the first time.
- Various small typos (made by me) while customizing the source code. Double check through everything you do to make sure that there are as few mistakes of this kind as possible.
- Various permissions problems. Make sure that everything under the
DocumentRootof the VirtualHost is owned by the correct user and group (they must match the
Groupdirectives for suEXEC). This is because suEXEC is fussy about the ownership and permissions of any programs that it will run. All the Frontpage stub executables must be owned (user and group) by the same person you enabled suEXEC for in your
httpd.confconfiguration file. You must also make sure that none of the stub executables have their SETUID bit set (if you
chmod 0755the file that will remove the SETUID bit), or suEXEC will refuse to run them.
- I found that if I ran the
fp_installscript that the three stub executables under the DocumentRoot of the VirtualHost were all hardlinked together. I haven't yet had a chance to figure out why this is happening, but I have written a simple script to tidy up the VirtulHost
DocumentRootafter you run
fp_install. It's a simple little program I call
fp_tidyand seems to do the trick for me. It will need to be slightly customized for your server, but it should be fairly obvious:
#!/bin/sh if [ $# -eq "0" ]; then echo -e "\nUsage: fp_tidy <Frontpage Virtual Host DocRoot> <owner>" echo -e "Example: fp_tidy /var/web/nobody.co.nz larry\n" exit 1 elif [ "$2." = "." ]; then echo -e "\nUsage: fp_tidy <Frontpage Virtual Host DocRoot> <owner>" echo -e "Example: fp_tidy /var/web/nobody.co.nz larry\n" exit 1 elif [ $# -gt "2" ]; then echo -e "\nUsage: fp_tidy <Frontpage Virtual Host DocRoot> <owner>" echo -e "Example: fp_tidy /var/web/nobody.co.nz larry\n" exit 1 fi echo -e "\nTiding up New Frontpage Virtualhost in: "$1 echo -ne "\nRemoving munted stub executables . . ." rm -f $1/_vti_bin/shtml.exe rm -f $1/_vti_bin/_vti_aut/author.exe rm -f $1/_vti_bin/_vti_adm/admin.exe echo -ne "\tdone.\nSetting Permissions on stubs . . ." chmod 0755 $1/_vti_bin/shtml.exe chmod 0755 $1/_vti_bin/_vti_aut/author.exe chmod 0755 $1/_vti_bin/_vti_adm/admin.exe chown -R $2.frontpage $1 echo -ne "\t\tdone.\n\n"
- If all else fails, I recommend checking out the Frontpage Awareness Forum first, as it is frequented by many wise and wonderful people :).