Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Mar 2002 18:14:35 -0500 (EST)
From:      Tyler <tjr@cagelink.com>
To:        Simon <simon@optinet.com>
Cc:        Alastair D'Silva <deece@newmillennium.net.au>, Dave <dave@hawk-systems.com>, "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>
Subject:   RE: Questions about Apache
Message-ID:  <20020322181405.V71189-100000@cagelink.com>
In-Reply-To: <20020322225847.184A237B419@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Ok thanks for all the replies, I got HTTPS to start without a password but
im still having trouble with the /~ userdir thing.

On Fri, 22 Mar 2002, Simon wrote:

>
> Do not run your HTTPS daemon as root.
>
> On Sat, 23 Mar 2002 09:35:54 +1100, Alastair D'Silva wrote:
>
> >I would argue the opposite, a script that is only executable by the
> >webserver, and checks the UID of the user executing it (and possibly
> >encrypting it with a reversible encryption based on something unique to
> >the system such as the hostname, as well as parameters specified on the
> >command line) is considerably more secure than simply leaving the key
> >unencrypted.
> >
> >Consider the case when some random buffer overflow in your webserver
> >allows an intruder to execute arbitrary code on the server. It is
> >(obviously) trivial for them to retrieve the unencrypted key from the
> >disk, as the web server user must be able to read it anyway. If it is
> >encrypted, they must not only retrieve the key, but also determine which
> >executable generates the pass phrase, determine what parameters are
> >required to run it and finally run it, all without reading the
> >executable itself to determine its structure.
> >
> >--
> >Alastair D'Silva B. Sc.            mob: 0413 485 733
> >Networking Consultant
> >New Millennium Networking  http://www.newmillennium.net.au
> >
> >> -----Original Message-----
> >> From: Dave [mailto:dave@hawk-systems.com]
> >> Sent: Saturday, 23 March 2002 1:27 AM
> >> To: Alastair D'Silva; 'Tyler'; freebsd-isp@freebsd.org
> >> Subject: RE: Questions about Apache
> >>
> >>
> >> Pay attention to the security warnings about this.  You may
> >> be better off not password protecting your key and letting
> >> the file permissions(root read only) take care of the
> >> security of it rather than having a password sitting in a
> >> file somewhere waiting to be parsed.  Either choice is really
> >> dependant on how you have your security model set up.
> >>
> >> Dave
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-isp" in the body of the message
> >
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020322181405.V71189-100000>