Date: Sat, 23 Mar 2002 09:35:54 +1100 From: "Alastair D'Silva" <deece@newmillennium.net.au> To: "'Dave'" <dave@hawk-systems.com>, <freebsd-isp@freebsd.org> Subject: RE: Questions about Apache Message-ID: <001c01c1d1f1$eda14fe0$3200a8c0@riker> In-Reply-To: <DBEIKNMKGOBGNDHAAKGNIEBHNGAA.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would argue the opposite, a script that is only executable by the webserver, and checks the UID of the user executing it (and possibly encrypting it with a reversible encryption based on something unique to the system such as the hostname, as well as parameters specified on the command line) is considerably more secure than simply leaving the key unencrypted. Consider the case when some random buffer overflow in your webserver allows an intruder to execute arbitrary code on the server. It is (obviously) trivial for them to retrieve the unencrypted key from the disk, as the web server user must be able to read it anyway. If it is encrypted, they must not only retrieve the key, but also determine which executable generates the pass phrase, determine what parameters are required to run it and finally run it, all without reading the executable itself to determine its structure. -- Alastair D'Silva B. Sc. mob: 0413 485 733 Networking Consultant New Millennium Networking http://www.newmillennium.net.au > -----Original Message----- > From: Dave [mailto:dave@hawk-systems.com] > Sent: Saturday, 23 March 2002 1:27 AM > To: Alastair D'Silva; 'Tyler'; freebsd-isp@freebsd.org > Subject: RE: Questions about Apache > > > Pay attention to the security warnings about this. You may > be better off not password protecting your key and letting > the file permissions(root read only) take care of the > security of it rather than having a password sitting in a > file somewhere waiting to be parsed. Either choice is really > dependant on how you have your security model set up. > > Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001c01c1d1f1$eda14fe0$3200a8c0>