> > I'm hesitant to start giving read access to all the > > application's "run as" users to the ssl directories. > > Consequently Im wondering wehter the openssl > > libs have root access even though Apache might be running > > as "nobody"? Or, do I duplicate all the certs > > in each app's respective directories? Or even, > > do I create a new user id for all of those apps to run as > > so that I can grant access to a common directory? > > How's this normally handled by yourself and others? > > I do not at all believe that the SSL libraries have ANY access > permissions above and beyond those of the process calling them. > > IMHO giving somebody read access to a certificate is not a security > exposure. Anybody can connect to a secure server's port and get a > list of certificates at any time. Only the private keys should be > sacred. > > -- > Charles B (Ben) Cranston
Thank you. So therefore it reasons that it would be fine to place all of my certificates in my /usr/local/ssl directory, chown that 755 and chgrp it root:root, making sure that the /private directory is 700 root:root? Is that correct? However, I still don't know about the empty /certs directory. Am I supposed to copy /usr/local/src/openssl-0.9.7b/certs/ to /usr/local/ssl/certs? It seems strange that the install script wouldn't have done that as well if it were needed. Thank you, Dann Daggett ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
