Thanks, all those suggestions help and have been observed. But I still worry about some remote attacker tricking the firewall into somehow sending or exposing the contents of the config.xml file. It kind of feels like having an /etc/passwd or /etc/shadow file where the password fields are plain text.
Is it not possible to have the webgui account to be a more limited firewall administrator account, or something along those lines, using sudo, etc.? Also, I notice that even after the upgrade to latest snapshot, my latest /conf/backup/conf*.xml files still switch to world read permissions, even though my /conf/config.xml is just rw by owner only. As a precaution, I do have permissions on the directories themselves restricted to 700, but I don't think this is the default. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
