Date: Fri, 22 Mar 2002 18:14:35 -0500 (EST) From: Tyler <tjr@cagelink.com> To: Simon <simon@optinet.com> Cc: Alastair D'Silva <deece@newmillennium.net.au>, Dave <dave@hawk-systems.com>, "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Subject: RE: Questions about Apache Message-ID: <20020322181405.V71189-100000@cagelink.com> In-Reply-To: <20020322225847.184A237B419@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok thanks for all the replies, I got HTTPS to start without a password but im still having trouble with the /~ userdir thing. On Fri, 22 Mar 2002, Simon wrote: > > Do not run your HTTPS daemon as root. > > On Sat, 23 Mar 2002 09:35:54 +1100, Alastair D'Silva wrote: > > >I would argue the opposite, a script that is only executable by the > >webserver, and checks the UID of the user executing it (and possibly > >encrypting it with a reversible encryption based on something unique to > >the system such as the hostname, as well as parameters specified on the > >command line) is considerably more secure than simply leaving the key > >unencrypted. > > > >Consider the case when some random buffer overflow in your webserver > >allows an intruder to execute arbitrary code on the server. It is > >(obviously) trivial for them to retrieve the unencrypted key from the > >disk, as the web server user must be able to read it anyway. If it is > >encrypted, they must not only retrieve the key, but also determine which > >executable generates the pass phrase, determine what parameters are > >required to run it and finally run it, all without reading the > >executable itself to determine its structure. > > > >-- > >Alastair D'Silva B. Sc. mob: 0413 485 733 > >Networking Consultant > >New Millennium Networking http://www.newmillennium.net.au > > > >> -----Original Message----- > >> From: Dave [mailto:dave@hawk-systems.com] > >> Sent: Saturday, 23 March 2002 1:27 AM > >> To: Alastair D'Silva; 'Tyler'; freebsd-isp@freebsd.org > >> Subject: RE: Questions about Apache > >> > >> > >> Pay attention to the security warnings about this. You may > >> be better off not password protecting your key and letting > >> the file permissions(root read only) take care of the > >> security of it rather than having a password sitting in a > >> file somewhere waiting to be parsed. Either choice is really > >> dependant on how you have your security model set up. > >> > >> Dave > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020322181405.V71189-100000>