From owner-freebsd-questions@FreeBSD.ORG Thu May 21 00:17:23 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0357106564A for ; Thu, 21 May 2009 00:17:23 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (agora.rdrop.com [199.26.172.34]) by mx1.freebsd.org (Postfix) with ESMTP id 8625E8FC14 for ; Thu, 21 May 2009 00:17:23 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id n4L0HMIR098619 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 20 May 2009 17:17:22 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.12.9/Submit) with UUCP id n4L0HMaL098618; Wed, 20 May 2009 17:17:22 -0700 (PDT) Received: from fbsd61 by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA14084; Wed, 20 May 09 14:44:26 PDT Date: Wed, 20 May 2009 14:43:57 -0700 From: perryh@pluto.rain.com To: alexus@gmail.com Message-Id: <4a14799d.ZY4je8ybkiXA5l8q%perryh@pluto.rain.com> References: <6ae50c2d0905171301y2d92a7b1mc3598295de12ecc2@mail.gmail.com> <6ae50c2d0905191218mca27c81o67a7e2f0a2a37ca8@mail.gmail.com> <200905201346.33032.mel.flynn+fbsd.questions@mailing.thruhere.net> <6ae50c2d0905200713t7d9c785fs4f6c5ec6db4166de@mail.gmail.com> <6ae50c2d0905200718u596a087du537f64abe20a4ff7@mail.gmail.com> <6ae50c2d0905200719sf099123g769920981b84efcc@mail.gmail.com> In-Reply-To: <6ae50c2d0905200719sf099123g769920981b84efcc@mail.gmail.com> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: proftpd TLS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 00:17:24 -0000 alexus wrote: > ... i guess my main concern it not to run it as root now AFAIK it is normal for a daemon to run as root if it expects to receive login credentials: * For any but the most minimal authentication scheme, it must be root to authenticate the credentials. (A scheme which enables an untrusted program to authenticate login credentials is vulnerable to brute-force attacks.) * Regardless of the authentication scheme, it must be root in order to assume the identity of the newly logged in user.