On Thu, Sep 04, 2008 at 04:35:53PM -0400, Eric Covener wrote: ... > That's not all you've been saying. > > | You should be running your servers as some other user, say, "apache", > | and so the uncloaked cert files should be stored as read-only by "apache". I did note at one point that my original note had been dashed off hastily, and that it had some flaws. For this I apologize. If you are running your Web server as the account "apache" then, as has been pointed out, you should have your content files owned by, say "wwwadmin" [to use the most recent suggestion]. The cert files can be owned by the same account or, better, another one that is solely for the certs rather than the Web content updaters, if this is a multi-person show. I did figure someone would point out that I'd said more words than those in the last entry. I really don't want to add any more to this topic. If anyone else can stand up and say that THEY have admin'ed Unix, Linux, BSD, etc. for over 35 years, and NEVER seen a mistake made worse because the person making the mistake was su'ed or sudo'ed to root, then I will applaud that person's good luck - SILENTLY. -- /*********************************************************************\ ** ** Joe Yao jsdy@xxxxxxx - Joseph S. D. Yao ** \*********************************************************************/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|