[cvs] [Wiki] changed: SecurityTips

Wiki Guest wiki at wiki.horde.org
Sat Nov 27 10:08:39 PST 2004


guest [217.184.159.216]  Sat, 27 Nov 2004 10:08:39 -0800

Modified page: http://wiki.horde.org/display.php?page=SecurityTips
New Revision:  1.1

@@ -1 +1,38 @@
++++ Horde Security Tips
++++++ The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )
 
+++++ Introduction
+The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl.
+My httproot is {{/var/www}} and I made Horde store its stuff in {{/var/cache}} and {{/var/log}}.
+I'd like to here some opinions from administrators of other systems...
+----
+++++ Filesystem Permissions
+<code>
+chown -R apache.apache /var/www/html/horde
+</code>
+If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
+----
+++++ Apache/PHP Configuration
+The Horde documentation is suggesting an awfull lot of <Directory>-instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch> instruction //and// statisfy Horde's demands to PHP on the fly:
+<code>
+<Directory "/var/www/html/horde/">
+        php_admin_flag  safe_mode               off
+        php_admin_value include_dir             "/usr/share/pear"
+        php_admin_value open_basedir            "/var:/usr"
+        php_admin_flag  expose_php              off
+        php_admin_flag  display_errors          off
+        php_admin_flag  log_errors              on
+        php_admin_flag  register_globals        off
+</Directory>
+
+<DirectoryMatch "^\/var\/www\/html\/horde\/(.*\/)?(config|lib|locale|po|scripts|templates)(\/.*)?">
+  order deny,allow
+  deny from all
+</DirectoryMatch>
+</code>
+This way you can safely switch {{php_safe_mode}}globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),
+The <DirectoryMatch>-instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.
+Interesting read:
+* Guide on [http://www.regular-expressions.org RegularExpressions]
+* Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory <Directory>] instruction
+* Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch <DirectoryMatch>] instruction


More information about the cvs mailing list