Mike Bilow [mailto:mikebw@colossus.bilow.com] wrote:
> This is a critically important point, and it is good that it was made.
[snip]
Also need to say:
I agree with you that not allowing a web user to download your OpenSRS.conf
file is a good idea, and storing it outside of the document root is a good
idea -- and all of this needs to be said -- but don't stop there. Make sure
people are informed that if they don't do the proper UNIX permissions thing
anyone on the system can read the file. I'm not sure that OpenSRS can easily
give people a "how to" that will secure the OpenSRS.conf file in this manner
because it's a tricky site specific thing that needs to be done.
However, please, please inform people and don't stop your security discussion
at keeping the OpenSRS.conf file out of the document root.
Now I have to bow out of the thread. I've made my point and I've got too much
work to do. :-)
- David Harris
Principal Engineer, DRH Internet Inc.
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT