Hi Piotr,
When I set with compilation httpd user and group values, some things are installed and chmod'ed to this user, and that's fine. However I noticed that my web server (running on users I set), is unable to perform some actions related to writing files in openca directories. When I set -R g+w on some directories this was solved. So in my opinion file permissions with make install-* should be reviewed.
-R g+w is a bad idea. It is important to know what you changed to understand what's happened. There is a simple philosophy. Files or directories which must be changed via the web interface are owned by the web server. All other files are owned by the openca user. There should be no files which are owned by root - nevertheless many people use root as openca user and group.
Second thing - I noticed, that there are some problems with date/time settings - openca in some cases writes its temporary data to directories like time/YYYY/MM/DD/hh/mm(..) and similar. This probably isn't bad idea, however I noticed (because of problem mentioned above), that time "for which" directory is used/created does not correspond to my system time. While I use time zone CET + 1 hour, the directory which is used by openca is more like CET -1 hour (looks like openca uses for directories time which is exactly two hours earlier than system time). Don't know whether this is a bug or whether this is intentionally developed.
PKIs are often established for large infrastructures. Therefore OpenCA always use UTC (former GMT). UTC = CET -1 = CEST - 2. UTC is used by OpenSSL for certificates too. This ensures that there are no time problems if one user sits in Argentinia and the other one in Poland.
Q: Do You have some documentation about filesystem permissions for openca nodes files? I mean some information about which files/directories should be SUID'ed, which should be owned by webserver user, and so on.., to make me able that I have all permissions set correctly. Of course some files like cgi scripts doesn't need detailed permissions listed in docs, however some other (like e.g. certs) I'd be glad to see :)
Actually we didn't document the permissions. If somebody has the time to do the job then let's go ;) Otherwise we fix the permissions if there are bugs or problems. We always try to only allow a minimum and this can result sometimes in problems.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
