Microsoft FrontPage 2000 Server Extensions Resource Kit

Security on UNIX

 ^{8 of 12}     Apache Patch Security Strategy

The FrontPage Apache patch consists of two parts:

• The FrontPage Apache module, which intercepts requests from the FrontPage client to the FrontPage Server Extensions executable files, performs security checks, and redirects the request to the fpexe stub program which is set to SUID root. By intercepting each request within the server itself, no script alias is required.
• The fpexe program, which accepts authoring requests from the FrontPage Apache module, performs additional security validation, changes the user ID of the Web server process to the owner of the FrontPage-extended web being authored, and then invokes the central copy of FrontPage Server Extensions executable files.

Because the fpexe stub program must be set SUID to "root" in order for it to change user IDs of the Web server process to the owner of the web, numerous security checks are performed in order to prevent this stub program from being exploited. Checks are performed to validate the following:

• Proper ownership and permissions are set for the fpexe stub program and its directory.
• Proper ownership and permissions are set for the server extensions executable files and their directories.
• The Web content area being authored has a valid user ID.
• The Web content area being authored has a valid group ID.
• Only the FrontPage Server Extensions CGI executable files are being executed, not other CGI scripts on the system.
• The environment variables (including the path) are cleaned and passed only if the variable is on a preselected, approved list.
• FrontPage Server Extensions executable files are being invoked only by the Web server.
• A 128-byte key value that is dynamically generated when the Web server process is initialized is passed to the fpexe program and validated, ensuring that only the Web server is able to run fpexe.

The 128-byte key value is generated dynamically when the Web server is initialized, and stored for validation purposes in a suidkey.* file. This file can be read and written only by "root" and is stored in a directory that is readable only by "root." The suidkey.* file can be written with root-only permissions because the Web server process runs as "root" during initialization, and will not switch to another user ID (such as "www") until after initialization is complete. The suidkey.* filename suffix is the process group ID of the Web server.

The contents of this dynamic key value are generated during Web server initialization based on a permutation of the output of the process status (ps) command, and are then XOR'ed with the contents of an administrator-controlled custom key file stored in /usr/local/frontpage/version4.0/apache-fp/suidkey. This custom key file must exist, be owned and readable only by "root," and contain at least 8 bytes of data.

As part of your server's maintenance, change the contents of the custom key file regularly when restarting the server. This will protect the key value.

When a request is processed by the FrontPage Apache module to invoke the FrontPage Server Extensions executable files, the module performs preliminary validation of the request and redirects the request to the fpexe stub program. The 128-byte key value generated when the server was initialized is passed to fpexe through a pipe and thus is not visible in the program environment. The 128-byte key value is read by fpexe from the pipe, and then compared to the contents of the dynamically generated suidkey.* file that was created when the Web server was initialized. Since the user ID of fpexe is set to "root," it is capable of accessing the contents of the suidkey.* file. Assuming that the suidkey.* file still has correct permissions (readable only by "root" in a directory readable only by "root"), and assuming that the 128-byte key value matches, then fpexe performs additional checks to validate the user ID, group ID, and ownership of the target FrontPage Server Extensions executable files.

If all checks pass, then fpexe switches the user and group IDs of the server process to those of the Web content owner, and then runs the FrontPage Server Extensions executable files. If any of these checks fail, an error is written to the Web server log and the server extensions are not run.

Note that the FrontPage Apache module's security checks do not replace the Web server's .htaccess file security system. Both systems work together to ensure security for the FrontPage-extended web. The Web server's .htaccess security protects remote access to the Web content by validating that the user of the FrontPage Server Extensions is a registered site visitor, author, or administrator of the web. In addition to this normal level of security checking, the FrontPage Apache module's security checks ensure that the fpexe program is not used to gain unauthorized root access to the Web server.

Because programs with user ID set to "root" are of concern to server administrators, Microsoft makes the source code of the FrontPage Apache module and the fpexe stub program available for review. The latest source code is contained in the FrontPage 2000 Server Extensions download kit. The source code is extensively commented with an explanation of the checks that are performed and recovery actions that you should take if an error denoting an insecure configuration is logged by the FrontPage Apache module or fpexe.