From owner-freebsd-isp Fri Mar 22 15:12: 2 2002 Delivered-To: freebsd-isp@freebsd.org Received: from cagelink.com (dsl94041.dyndsl.nettally.com [199.44.94.41]) by hub.freebsd.org (Postfix) with ESMTP id A3B4037B404 for ; Fri, 22 Mar 2002 15:11:55 -0800 (PST) Received: by cagelink.com (Postfix, from userid 1001) id 2153E16E; Fri, 22 Mar 2002 18:14:36 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by cagelink.com (Postfix) with ESMTP id 1C57A80; Fri, 22 Mar 2002 18:14:36 -0500 (EST) Date: Fri, 22 Mar 2002 18:14:35 -0500 (EST) From: Tyler To: Simon Cc: Alastair D'Silva , Dave , "freebsd-isp@freebsd.org" Subject: RE: Questions about Apache In-Reply-To: <20020322225847.184A237B419@hub.freebsd.org> Message-ID: <20020322181405.V71189-100000@cagelink.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok thanks for all the replies, I got HTTPS to start without a password but im still having trouble with the /~ userdir thing. On Fri, 22 Mar 2002, Simon wrote: > > Do not run your HTTPS daemon as root. > > On Sat, 23 Mar 2002 09:35:54 +1100, Alastair D'Silva wrote: > > >I would argue the opposite, a script that is only executable by the > >webserver, and checks the UID of the user executing it (and possibly > >encrypting it with a reversible encryption based on something unique to > >the system such as the hostname, as well as parameters specified on the > >command line) is considerably more secure than simply leaving the key > >unencrypted. > > > >Consider the case when some random buffer overflow in your webserver > >allows an intruder to execute arbitrary code on the server. It is > >(obviously) trivial for them to retrieve the unencrypted key from the > >disk, as the web server user must be able to read it anyway. If it is > >encrypted, they must not only retrieve the key, but also determine which > >executable generates the pass phrase, determine what parameters are > >required to run it and finally run it, all without reading the > >executable itself to determine its structure. > > > >-- > >Alastair D'Silva B. Sc. mob: 0413 485 733 > >Networking Consultant > >New Millennium Networking http://www.newmillennium.net.au > > > >> -----Original Message----- > >> From: Dave [mailto:dave@hawk-systems.com] > >> Sent: Saturday, 23 March 2002 1:27 AM > >> To: Alastair D'Silva; 'Tyler'; freebsd-isp@freebsd.org > >> Subject: RE: Questions about Apache > >> > >> > >> Pay attention to the security warnings about this. You may > >> be better off not password protecting your key and letting > >> the file permissions(root read only) take care of the > >> security of it rather than having a password sitting in a > >> file somewhere waiting to be parsed. Either choice is really > >> dependant on how you have your security model set up. > >> > >> Dave > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message