httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: [users@httpd] How to start Apache automatically with certificate?
Date Fri, 29 Aug 2008 11:45:12 GMT
On Fri, Aug 29, 2008 at 2:05 AM, Joseph S D Yao <jsdy@tux.org> wrote:

> Even if 'httpd' is still running as root when reading the cert, and so
> able to use it, it is still a bad idea to have it OWNED by root - you
> still have to have super-user powers to maintain it.  Bad, bad, bad,
> bad, bad.

You should need superuser access to read, much less modify, a
[unencrypted] private key used by Apache.

> and so the uncloaked cert files should be stored as
> read-only by "apache".

This is criminally negligent advice, as the userid used for
request-processing shouldn't be able to read this confidential data.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message