/////////////////////////////////////////////////////////////////////////////
// Improved mod_frontpage                                                  //
// for Apache 1.3.x                                                        //
// v1.6 - Februar 03, 2002                                                 //
// Copyright (C) 2001 Christof Pohl <chripo+frontpage@edo.uni-dortmund.de> //
// APXS install by Jean-Michel Dault <jmdault@mandrakesoft.com             //
// Port to Frontpage 5.x by Martin Blapp <mbr@freebsd.org>                 //
/////////////////////////////////////////////////////////////////////////////
// WorldWideWeb: http://home.edo.uni-dortmund.de/~chripo                   //
// FTP: ftp://ftp.edo.uni-dortmund.de/pub/mod_frontpage                    //
/////////////////////////////////////////////////////////////////////////////

This product includes software developed by the Apache Group for use in the
Apache HTTP server project (http://www.apache.org/).



FEATURES
========


General Features of Improved mod_frontpage
------------------------------------------

* It works with any version of Apache 1.3.x.
* It improves your site's security by enforcing additional checks to ensure the
  FrontPage CGI programs can be run safely.
* It allows to use the FrontPage Server Extensions along with suEXEC (have
  a look at the Apache documentation <http://www.apache.org/docs/> for more
  information about suEXEC).
* It uses fewer system resources.
* Easy configuration with Apache's "configure" command.
* A detailed step-by-step installation guide for compiling and installing a
  FrontPage-extended Apache HTTP Server is included.
* Per-Server configuration allows to select which of your (virtual) servers are
  allowed to use the FrontPage Server Extensions.
* Compatible to the PHP Hypertext Preprocessor <http://www.php.net/> versions
  3.x and 4.x.
* Compatible to Ralf S. Engelschall's mod_ssl <http://www.modssl.org/>.
* Should be compatible with various other modules (e.g. mod_perl) available for
  the Apache HTTP Server.
* It supports the configuration of the fp-server via _vti_bin/_vti_adm/fpadmcgi.exe


Per-Server Configuration
------------------------

Improved mod_frontpage supplies a per-server configuration option which allows
you to determine which virtual servers the FrontPage Server Extensions are to be
enabled on.

Add the lines

    FrontpageDisable

or

    FrontpageEnable

to disable or enable the FrontPage Server Extensions on a per-server basis
(inside a <VirtualHost> section) or globally.

By default, the FrontPage Server Extensions are enabled on all servers.


Security Checks
---------------

Like the suEXEC module, several checks must be passed before the FrontPage
client request will be passed to the FrontPage CGI programs. These tests occur
in three phases:

Phase 1: Translation Phase
Phase 2: Handling Phase
Phase 3: fpEXEC Phase

The full tests performed are listed below.

Phase 1: Translation Phase

    * Improved mod_frontpage must be enabled on the server.
    * The URI must include one of the following strings:
        * /vti_bin/_vti_adm/admin.exe
        * /vti_bin/_vti_aut/author.exe
        * /vti_bin/fpcount.exe
        * /vti_bin/shtml.dll
        * /vti_bin/shtml.exe
      or the content handler must be application/x-httpd-frontpage.

Phase 2: Handling Phase

    * Improved mod_frontpage must be enabled on the server.
    * The translated filename must include on of the following strings:
        - /vti_bin/_vti_adm/admin.exe
        - /vti_bin/_vti_aut/author.exe
        - /vti_bin/fpcount.exe
        - /vti_bin/shtml.dll
        - /vti_bin/shtml.exe

    Notice: Some versions of the FrontPage client mistakenly use
    "/vti_bin/shtml.dll" instead of "/vti_bin/shtml.exe". Therefore the
    "/vti_bin/shtml.dll" call is assumed to actually be for
    "/vti_bin/shtml.exe".

    This bug was really fixed in fpexec.c in version 1.6


    * If the filename was one of:
        - /vti_bin/_vti_adm/admin.exe
        - /vti_bin/_vti_aut/author.exe
      the remote user must have been authenticated by some method. Basic
      authentication is the only method supported by the FrontPage clients
      from Microsoft.
    * The web root (the portion of the filename PRIOR to the matched strings)
      must:
        - exist,
        - be a directory,
        - be owned by a non-privileged user
        - NOT be writeable by group or others (world),
        - be executable (usable) by others (world).
    * The owner of the web root must exist (usually, in "/etc/passwd" and
      "/etc/group"). This determines the UID and GID the FrontPage extensions
      will run as.
    * The FrontPage Server Extensions must have been "installed" for this web.
      In the web root directory, the sub-directory _vti_pvt must:
        - exist,
        - be a directory,
        - be owned by the web root user and group,
        - NOT be writeable by group or others (world),
        - be executable (usable) by others (world).
    * The fpEXEC stub must:
        - exist, with the expected name (see mod_frontpage.h),
        - NOT be a symbolic link,
        - be owned by root,
        - be setuid,
        - NOT be writeable by group or others (world),
        - be executable by others (world),
        - be group-owned by root or NOT be setgid.


Phase 3: fpEXEC Phase

    * The fpEXEC stub must have been run by a user which exists (normally, in
      "/etc/passwd").
    * The fpEXEC stub must be been run by the user it expects to have run it;
      this is the anonymous web user set with the "User" directive in Apache's
      httpd.conf.

    Notice: As with suEXEC, execution of the FrontPage CGIs for virtual hosts
    fails, if the virtual host is running as some other user than the expected
    (anonymous) web user!

    * The requested program must be one of the following:
        - /vti_bin/_vti_adm/admin.exe
        - /vti_bin/_vti_aut/author.exe
        - /vti_bin/fpcount.exe
        - /vti_bin/shtml.exe
    * The FrontPage Server Extensions owning user and owning group must exist
      (normally, in "/etc/passwd" and "/etc/group").
    * The target user cannot be 0 (root) or any of the privileged users.
    * The target group cannot be 0 (root) or any of the privileged groups.
    * The web root must be the current working directory (cwd) on entry to the
      fpEXEC stub and must:
        - exist and be a directory,
        - NOT be writeable by group or others (world),
        - be owned by the same user/group as the target.
    * The web root must contain an access control file (normally ".htaccess"),
      which must:
        - exist and NOT be a symbolic link,
        - NOT be writeable by group or others (world),
        - be owned by the same user/group as the target.
    * The web root must contain a "_vti_bin" directory which must:
        - exist and be a directory,
        - NOT be writeable by group or others (world),
        - be owned by the same user/group as the target.
    * The "_vti_bin" directory must contain an access control file (normally
      ".htaccess"), which must:
        - exist and NOT be a symbolic link,
        - NOT be writeable by group or others (world),
        - be owned by the same user/group as the target.
    * If the target program is "author.exe"/"admin.exe", the "_vti_bin"
      directory must contain a "_vti_aut"/"_vti_adm" directory, which must:
        - exist and be a directory,
        - NOT be writeable by group or others (world),
        - be owned by the same user/group as the target.
    * The "_vti_aut"/" _vti_adm" directory, if checked, must contain an access
      control file (normally ".htaccess"), which must:
        - exist and NOT be a symbolic link,
        - NOT be writeable by group or others (world),
        - be owned by the same user/group as the target.
    * The directory containing the FrontPage CGI programs (normally
      "/usr/local/frontpage/version5.0/exes") must:
        - exist and be a directory,
        - NOT be writeable by group or others (world),
        - be owned by the expected FrontPage Server Extensions user and group.
    * The FrontPage CGI program about to be run must:
        - exist and NOT be a symbolic link,
        - NOT be writeable by group or others (world),
        - be owned by the FrontPage Server Extensions user and group,
        - be executable (usable) by others (world).
    * The environment passed to the FrontPage CGI program is cleaned to
      contain only known-safe values.
    * The umask is set to a safe value prior to executing the FrontPage CGI
      program. The FP_UMASK is used as the minimums; masked bits in effect for
      the Apache HTTP Server remain masked in the FrontPage CGI.
    * All errors and FrontPage CGI program runs are logged in a log file (just
      like suEXEC).


