On Wed, Mar 10, 1999, Steffen Dettmer wrote:
> > > ... somewhere in a core dump from httpd ...
> > That's why most Unix platforms do not create core files for daemon processes
> > running under or started as UID=0 (root).
>
> I thought that is "overrideable" using "ulimit -c 10000000" ?
Perhaps, but AFAIK it's a hard-coded thing in some kernels.
Wasn't Linux one of those kernels who had it hard-coded?
I cannot remember...
> > BTW, a few months ago we had a long thread about this topic.
> > Look inside the sw-mod-ssl mailing list archives for details.
>
> Sorry, I couldn't find it... I crawled through lot's of mails, but such a
> discussion I haven't found...
AFAIK it was in the thread about the extended Pass Phrase procedure I've
written for mod_ssl 2.1 (the original idea was the reuse of pass phrases but
we discussed related topics there).
> What's about the feature "SSLPassPhraseDialog exec:/path/to/program" ?
> The manual tells: "The intent is that this external program first runs
> security checks to make sure that the system is not compromised by an
> attacker, and only when these checks were passed successfully it provides
> the Pass Phrase"
> What kind of security checks are possible? I think it's at least very
> difficult to make a diffrence between server and good hacker: the same
> IP, UID, calling situation and so on may be faked easyly (or:easy?).
>
> Does somebody have a good idea?
No, you're right. IT IS DIFFICULT and perhaps even impossible when you want to
do it really correct and secure. The position of mod_ssl here is that this
decision is outside of mod_ssl's scope as a glue-code between Apache and
OpenSSL (and because neither I nor any user had a real solution), so
mod_ssl only provides the hook (``exec:...''). Whether you really can use
it for a reasonable pass-phrase-delivery thing I cannot decide. At only
know that I currently don't know one. But because the hook exists feel
free to develop one.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
