Re: How to start Apache automatically with certificate?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Aug 28, 2008 at 04:53:05PM -0500, William A. Rowe, Jr. wrote:
> Joseph S D Yao wrote:
> > On Thu, Aug 28, 2008 at 10:31:42AM -0300, Tan, Liao  wrote:
> >> Ok, ic I can simply remove the passphrase, and provided the new key be readabale by root only, I should not have any security problems... is it simply remove it? or any other settings, configuratios, re-installation?
> > 
> > It should not be owned by root, because you should not be running your
> > server as root.  You should be running your servers as some other user,
> > say, "apache", and so the uncloaked cert files should be stored as
> > read-only by "apache".
> 
> Yes, and the server should be *started* as root, User/Group modified to
> a limited access account (e.g. apache, or nobody), all system resources
> initially created and owned by root (e.g. logs/, certs etc), and the
> appropriate access control granted to the apache/nobody user (no write
> access to logs/, no read access to keys).
> 
> There are logs that are dynamically created, give your apache user write
> access to a logs/safe/ directory to put those into.  But the logs/ dir
> should never be modifiable by the apache user.  Similarly the certs dir
> should never be readable by the apache user.
> 
> If you start your server (e.g. launch it) from the 'apache' user account,
> it's impossible to keep the running server from manipulating the logs/
> directory etc, or accessing keys files, etc.


Sorry, yes, of course, it is almost always started [or re-started] as
root, and then chowns itself.  I was thinking that it read the cert
after the chown, but I don't remember with certainty.  I need to go
re-read the code anyway, I'll look next time so I can give a good cite
if this thread is still running.  ;-)


-- 
/*********************************************************************\
**
** Joe Yao				jsdy@xxxxxxx - Joseph S. D. Yao
**
\*********************************************************************/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux