httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] How to start Apache automatically with certificate?
Date Fri, 29 Aug 2008 05:53:08 GMT
Joseph S D Yao wrote:
> On Thu, Aug 28, 2008 at 05:42:59PM -0400, Eric Covener wrote:
> ...
>> root-owned private key sure sounds wiser to me.
> ...
> 
> Tell me three good reasons why.  Bad ones don't count.

I owe you one and that's all my time you'll waste.

A root owned private key perms 400 is going to be visible to a cgi if
you are foolish enough to make it readable.  And once there, any trivial
MTM or DNS hole is going to allow your users to impersonate your business.

If starting as root and changing to apache/nobody user, that key will not
be visible if there's a local code execution vulnerability.

Please folks, treat Yao's security advise with the appropriate caution.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message