Alexei Chetroi wrote:
This is wrong and a security risk. Perhaps some comments about the user and group terms:
openca - this is used for stuff which may not be writeable by the daemon or http server httpd - this is used for stuff which should be writeable for the daemon
today it is not necessary that the apache can write anything. Therefore my recommendation is:
openca: user root with group root httpd: special openca user (this is the owner of the socket and daemon)
Well, that changes things a bit. So to clarify once again: httpd-user is user under which daemon is running and need write access to "--with-var-prefix", right? Does daemon need write access to "--with-etc-prefix"/rbac and "--with-etc-prefix"/openssl to create new roles or roles should be created by sysadmin by hand from template ?
I can only recommend you to look into the makefiles. We are usually really careful with the owner and group setting. Some etc/ files should be writeable by the daemon. The best detailed answer is to look into the makefiles. Every install command includes a user and group setting.
In that case I think we should change name of these options. BTW may we also have options for specifing path for socket and daemon pid file, something like --with-var-run-prefix?
Please see my answer to Piotr. If there is a consent then we can introduce such options.
Michael -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
