On Fri, Aug 29, 2008 at 2:05 AM, Joseph S D Yao <jsdy@xxxxxxx> wrote: > Even if 'httpd' is still running as root when reading the cert, and so > able to use it, it is still a bad idea to have it OWNED by root - you > still have to have super-user powers to maintain it. Bad, bad, bad, > bad, bad. You should need superuser access to read, much less modify, a [unencrypted] private key used by Apache. > and so the uncloaked cert files should be stored as > read-only by "apache". This is criminally negligent advice, as the userid used for request-processing shouldn't be able to read this confidential data. -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx