another hint to get the system more secure, this is not a bug right now: (i post this to both list, since we had a topic on this already at dev list, but not with a good subject, so some people may have overseen this)
like mentioned on devlist at least, there is a naming 'conflict' in configuration from earlier version options which leads to a more insecure installation then actually necessary:
i'm talking about the point: httpd-user/group should be openca-damon/group since apache doesn't need nearly any rights at openca files
what does this mean:
- since the openca-daemon conecept has been introduced in 0.9.2 series it is not necessary anymore to have apache own openca-files or even give write permissions for apache to any openca file (except the socket file ;) - you may create an openca-daemon user which ownes all files wich needs to be written by openca - one may use a nother user which owns all other openca-files (root for example or a special openca-user for readonly files)
so simply exchange at configure time, http user and group through some other special user and pki group or whatever policy u use
there are some 'wrong' filepermissions - where the access is too restricted... this means:
- the conf files in etc/servers are only readable by owner and group this must be changed to worldreadable or to apache-group then.. since the apache-openca-cgis reads them (usaly there is no sensitive information inside those files)
- etc/rbac and etc/openssl must writeable by daemon user
and the var/tmp/openca_socket is only writeable by owner (which of course is not the apache-user anymore then ;) - furthermore the var and tmp ist only group readable/executable, this must be changed too and i set the group of the socket to the apache group and gave this group writepermissions to the socket, so the cgis can write to the socket ;) (i modified openca_rc for this and put some chown and chmod lines into this, since you have to do this every time the daemon restarts)
another option for this is from alexei:
I also stepped on this proble, but only chmod it post_bind_hook of Net::Server. Modified src/common/lib/functions/initServer for this. Actually I made a patch for openca_0_9_2_1 for debian packages which adds --with-run-dir and --with-log-dir. I keep pids in $run-dir and ... so below mentioned thread, there is also a patch attached to his posting regarding this, i'm not sure how far this already into the 0.9.2.2 release - i think not ;)
the next debian packages may take this into account some more hints can be found in this thread:
http://sourceforge.net/mailarchive/forum.php?thread_id=6686965&forum_id=2293
i had no time yet, to write a real how to for this improving security ;) so if you think - this apache setup is tooo insecure (since apache does have to many access and read rights, you may go this way, plan some ours fore access right problems, don't forget to restart the apache deamon after changes to those rights, sometimes it interfers...)
enjoy!
greetings dalini
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
