Joseph S D Yao wrote:
On Thu, Aug 28, 2008 at 05:42:59PM -0400, Eric Covener wrote: ...root-owned private key sure sounds wiser to me.... Tell me three good reasons why. Bad ones don't count.
I owe you one and that's all my time you'll waste. A root owned private key perms 400 is going to be visible to a cgi if you are foolish enough to make it readable. And once there, any trivial MTM or DNS hole is going to allow your users to impersonate your business. If starting as root and changing to apache/nobody user, that key will not be visible if there's a local code execution vulnerability. Please folks, treat Yao's security advise with the appropriate caution. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|