On Wed, 2015-03-25 at 17:39 -0700, Paul Rogers wrote: > It appears to me these scripts could be used to create CA > Certificates, (and who knows how trustworthy those might be) in a > user's ~/.ssl where perhaps openssl and/or a browser would accept > them, quite possibly ushering malware onto the system--that quess who > will have to clean up if I can.
Well, those scripts couldn't, because that's not what those scripts are written to do. You could modify them, but if you're comfortable modifying them, you don't really need the scripts anyway... they're just a convenience for LFS. But to put it into perspective - if you know what you're doing, it takes *seconds* to create your own CA certificate using nothing more than the tools provided by OpenSSL... it's a single command. It's a little more work to import it into, say, the set of recognised authorities stored in a user's Firefox profile. But probably not much... it's trivial to do from the browser itself, and can probably be automated using some of the tools provided by NSS. This is what I'm trying to emphasize, here. Locking down access to those scripts does *nothing* to improve the security of your system. They're just simple wrappers around standard tools provided by OpenSSL and NSS, and any hacker will just use those tools directly. All you'd be gaining is a false sense of security... Simon. -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
