Paul Rogers wrote:
When installing the Certificate Authority (CA) certificates, BLFS creates a few scripts in /usr/bin, world executable. Is this sound? Granted, the places they are going to "mess with" aren't world writable, but wouldn't /usr/sbin, and u+x be more consistent with reasonable security practices?
Certainly remove-expired-certs.sh needs root permissions for the rm command, but man-ca.sh does not (it does have an unused SSLDIR variable embedded though). make-cert-pl does not use root privileges either.
I suppose we should move remove-expired-certs.sh to /usr/sbin and in the non-script instructions move the call to remove-expired-certs.sh to the root portion.
-- Bruce -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
