On 3/29/06, LJ Rand <[EMAIL PROTECTED]> wrote: > > Thanks, all those suggestions help and have been > observed. > > But I still worry about some remote attacker tricking > the firewall into somehow sending or exposing the > contents of the config.xml file. It kind of feels > like having an /etc/passwd or /etc/shadow file where > the password fields are plain text.
Uhhh, whats the difference from freebsd's rc.conf and in this case!? The CARP passwords would be listed in rc.conf on a stock FreeBSD system, too... So I fail to see your point. And how would someone "trick" the system into showing this file if the web service is firewalled off? I think your just nit-picking at this point to nit-pick. > Is it not possible to have the webgui account to be a > more limited firewall administrator account, or > something along those lines, using sudo, etc.? Patches accepted. > Also, I notice that even after the upgrade to latest > snapshot, my latest /conf/backup/conf*.xml files still > switch to world read permissions, even though my > /conf/config.xml is just rw by owner only. As a > precaution, I do have permissions on the directories > themselves restricted to 700, but I don't think this > is the default. The changes I made only apply to new installs. Nothing is in place to magically change this. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
