On Thu, Mar 03, 2005 at 09:16:08AM +0100, Michael Bell wrote: > Date: Thu, 03 Mar 2005 09:16:08 +0100 > From: Michael Bell <[EMAIL PROTECTED]> > To: [email protected] > Reply-To: [email protected] > Subject: Re: [OpenCA-Devel] httpd-user vs openca-user > > Alexei Chetroi wrote: > > > IMHO there's no necessity. Debian packaging configures openca with > >"--with-openca-user" and "--with-openca-group" set to uid/gid of apache. > >I thought there was a reason for that. Now I see that we can get rid of > >that and make only openca socket owned by apache uid. Thanks for > >information. > > This is wrong and a security risk. Perhaps some comments about the user > and group terms: > > openca - this is used for stuff which may not be writeable by the daemon > or http server > httpd - this is used for stuff which should be writeable for the daemon > > today it is not necessary that the apache can write anything. Therefore > my recommendation is: > > openca: user root with group root > httpd: special openca user (this is the owner of the socket and daemon) Well, that changes things a bit. So to clarify once again: httpd-user is user under which daemon is running and need write access to "--with-var-prefix", right? Does daemon need write access to "--with-etc-prefix"/rbac and "--with-etc-prefix"/openssl to create new roles or roles should be created by sysadmin by hand from template ?
> > My idea was to rename the httpd option because the semantic is wrong and > can lead to security relevant mistakes. In that case I think we should change name of these options. BTW may we also have options for specifing path for socket and daemon pid file, something like --with-var-run-prefix? Best wishes, -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
