On Thu, Aug 28, 2008 at 10:31:42AM -0300, Tan, Liao wrote: > Ok, ic I can simply remove the passphrase, and provided the new key be readabale by root only, I should not have any security problems... is it simply remove it? or any other settings, configuratios, re-installation? > It should not be owned by root, because you should not be running your server as root. You should be running your servers as some other user, say, "apache", and so the uncloaked cert files should be stored as read-only by "apache". Nothing should ever be owned by or done as root. Nothing. Absolutely nothing. Ever. Unless you absolutely have to, and then it's still a good idea to stop and think how to do it without being root. Why should nothing be owned by root? Because then manipulating it must be done by root. We should nothing be done by root? Because you're human and are capable of making mistakes, such as: cd / rm -rf /tmp/cruftdir. * and because people cracking into systems LOVE to find daemon processes running as "root", because then if they own that one daemon process, they own the whole system. YES, there is a bare minimum of things that must run as root. The trick is to find out how to approach that bare minimum. No application daemons should be running as root. -- /*********************************************************************\ ** ** Joe Yao jsdy@xxxxxxx - Joseph S. D. Yao ** \*********************************************************************/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|