Date: Fri, 22 Mar 2002 20:39:26 -0500 From: "Dave" <dave@hawk-systems.com> To: <freebsd-isp@freebsd.org> Subject: RE: Questions about Apache Message-ID: <DBEIKNMKGOBGNDHAAKGNCEKJNGAA.dave@hawk-systems.com> In-Reply-To: <001c01c1d1f1$eda14fe0$3200a8c0@riker>
next in thread | previous in thread | raw e-mail | index | archive | help
>I would argue the opposite, a script that is only executable by the >webserver, and checks the UID of the user executing it (and possibly >encrypting it with a reversible encryption based on something unique to >the system such as the hostname, as well as parameters specified on the >command line) is considerably more secure than simply leaving the key >unencrypted. > >Consider the case when some random buffer overflow in your webserver >allows an intruder to execute arbitrary code on the server. It is >(obviously) trivial for them to retrieve the unencrypted key from the >disk, as the web server user must be able to read it anyway. If it is >encrypted, they must not only retrieve the key, but also determine which >executable generates the pass phrase, determine what parameters are >required to run it and finally run it, all without reading the >executable itself to determine its structure. Um... no. If the webserver can execute the script to decrypt the passphrase, then your access as indicated above would givem them the ability to execute that same script(or read it) and reverse your encryption since the permission they would inherit from the overflow would likely be whatever your web server is running as (unless I am misunderstanding your description). The recommendation being to have the keys readable only by root(chmod 600), then you can start apache via root, then direct apache via the conf file to run as user www (or whatever)... starting as root allows it to read the key (which is readable only by root), and apache runs all requests as the user specified in the conf file. Given your buffer overflow, they would logically inherit the permission of the web server (www, apache, nobody...) and not be able to view the directory or key files at all, nor any other files on the server if you are set up correctly, far better setup than having a file readable by the web server user. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNCEKJNGAA.dave>