From owner-freebsd-isp Fri Mar 22 17:35:36 2002 Delivered-To: freebsd-isp@freebsd.org Received: from web1.nexusinternetsolutions.net (web1.nexusinternetsolutions.net [206.47.131.12]) by hub.freebsd.org (Postfix) with SMTP id 6570F37B417 for ; Fri, 22 Mar 2002 17:35:29 -0800 (PST) Received: (qmail 25957 invoked from network); 23 Mar 2002 01:42:47 -0000 Received: from unknown (HELO cr159591a) (24.102.18.54) by web1.nexusinternetsolutions.net with SMTP; 23 Mar 2002 01:42:47 -0000 From: "Dave" To: Subject: RE: Questions about Apache Date: Fri, 22 Mar 2002 20:39:26 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <001c01c1d1f1$eda14fe0$3200a8c0@riker> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >I would argue the opposite, a script that is only executable by the >webserver, and checks the UID of the user executing it (and possibly >encrypting it with a reversible encryption based on something unique to >the system such as the hostname, as well as parameters specified on the >command line) is considerably more secure than simply leaving the key >unencrypted. > >Consider the case when some random buffer overflow in your webserver >allows an intruder to execute arbitrary code on the server. It is >(obviously) trivial for them to retrieve the unencrypted key from the >disk, as the web server user must be able to read it anyway. If it is >encrypted, they must not only retrieve the key, but also determine which >executable generates the pass phrase, determine what parameters are >required to run it and finally run it, all without reading the >executable itself to determine its structure. Um... no. If the webserver can execute the script to decrypt the passphrase, then your access as indicated above would givem them the ability to execute that same script(or read it) and reverse your encryption since the permission they would inherit from the overflow would likely be whatever your web server is running as (unless I am misunderstanding your description). The recommendation being to have the keys readable only by root(chmod 600), then you can start apache via root, then direct apache via the conf file to run as user www (or whatever)... starting as root allows it to read the key (which is readable only by root), and apache runs all requests as the user specified in the conf file. Given your buffer overflow, they would logically inherit the permission of the web server (www, apache, nobody...) and not be able to view the directory or key files at all, nor any other files on the server if you are set up correctly, far better setup than having a file readable by the web server user. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message