On Fri, Aug 29, 2008 at 2:05 AM, Joseph S D Yao <[EMAIL PROTECTED]> wrote:
> Even if 'httpd' is still running as root when reading the cert, and so > able to use it, it is still a bad idea to have it OWNED by root - you > still have to have super-user powers to maintain it. Bad, bad, bad, > bad, bad. You should need superuser access to read, much less modify, a [unencrypted] private key used by Apache. > and so the uncloaked cert files should be stored as > read-only by "apache". This is criminally negligent advice, as the userid used for request-processing shouldn't be able to read this confidential data. -- Eric Covener [EMAIL PROTECTED] --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
