Alexei Chetroi wrote:
IMHO there's no necessity. Debian packaging configures openca with
"--with-openca-user" and "--with-openca-group" set to uid/gid of apache.
I thought there was a reason for that. Now I see that we can get rid of
that and make only openca socket owned by apache uid. Thanks for
information.
This is wrong and a security risk. Perhaps some comments about the user and group terms:
openca - this is used for stuff which may not be writeable by the daemon
or http server
httpd - this is used for stuff which should be writeable for the daemontoday it is not necessary that the apache can write anything. Therefore my recommendation is:
openca: user root with group root httpd: special openca user (this is the owner of the socket and daemon)
My idea was to rename the httpd option because the semantic is wrong and can lead to security relevant mistakes.
Michael -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
