[cvs] [Wiki] changed: SecurityTips

Wiki Guest wiki at wiki.horde.org
Sat Nov 27 11:35:17 PST 2004 

guest [217.184.159.216]  Sat, 27 Nov 2004 11:35:17 -0800

Modified page: http://wiki.horde.org/display.php?page=SecurityTips
New Revision:  1.2

@@ -9,30 +9,51 @@
 ++++ Filesystem Permissions
 <code>
 chown -R apache.apache /var/www/html/horde
 </code>
-If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
+This will change the user and the group of all files belonging to your Horde installation to the user and group of your Apache webserver. If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
+
+If you want more restrictive settings, you might try the following:
+<code>
+chmod -R go-rwx /var/www/html/horde/config
+chmod -R go-rwx /var/www/html/horde/*/config
+</code>
+This will prevent any of your config-files to be accessed from the outside. If that's not enough for you, try this:
+<code>
+chmod -R a-w   /var/www/html/horde/
+</code>
+That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (an will) cause problems if you are planning to use Horde's built-in administration routines.
 ----
 ++++ Apache/PHP Configuration
-The Horde documentation is suggesting an awfull lot of <Directory>-instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch> instruction //and// statisfy Horde's demands to PHP on the fly:
+The Horde documentation is suggesting an awfull lot of <Directory> instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch> instruction //and// statisfy Horde's needs towards PHP on the fly:
 <code>
 <Directory "/var/www/html/horde/">
-        php_admin_flag  safe_mode               off
-        php_admin_value include_dir             "/usr/share/pear"
-        php_admin_value open_basedir            "/var:/usr"
-        php_admin_flag  expose_php              off
-        php_admin_flag  display_errors          off
-        php_admin_flag  log_errors              on
-        php_admin_flag  register_globals        off
+  php_admin_flag  safe_mode        off         # Only needed if you have got safe_mode globally on
+  php_admin_value open_basedir     "/var:/usr" #	/usr b/c of PEAR. /var is needed for my installation...
+  php_admin_flag  expose_php       off         # always a good idea :)
+  php_admin_flag  display_errors   off         # If you do this (recomended by the PHP documentation, btw)...
+  php_admin_flag  log_errors       on          # ... you need to set this also. Don't forget to specify a logfile!
+  php_admin_flag  register_globals off
 </Directory>
 
-<DirectoryMatch "^\/var\/www\/html\/horde\/(.*\/)?(config|lib|locale|po|scripts|templates)(\/.*)?">
+<DirectoryMatch "^/var/www/html/horde/(.*/)?(config|lib|locale|po|scripts|templates)(/.*)?">
   order deny,allow
-  deny from all
+  deny  from all
 </DirectoryMatch>
 </code>
 This way you can safely switch {{php_safe_mode}}globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),
+
+Please take note that you need to put this into your httpd.conf because the {{php_admin_*}} instructions won't work in a .htaccess file. If you do so, don't forget to use {{httpd -t}} to check for syntax errors in your httpd.conf before you restart your Apache. Apache 2.0.x allows you to place a config file into {{/etc/httpd/conf.d/}} so you can place the whole thing into a new file {{/etc/httpd/conf.d/horde.conf}}. If the directory {{/etc/httpd}} doesn't exist on your system, you may execute the following command on a shell to find out, what your Apache's config-directoy is:
+<code>
+httpd -V | grep HTTPD_ROOT
+</code>
+
+Also note that I used escaped slashes in the RegEx for the <DirectoryMatch> instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.
+
 The <DirectoryMatch>-instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.
 Interesting read:
 * Guide on [http://www.regular-expressions.org RegularExpressions]
+* [http://www.php.net/manual/en/ini.php List of core php.ini directives]
+* [http://www.php.net/manual/en/security.php PHP Security Manual]
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory <Directory>] instruction
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch <DirectoryMatch>] instruction
+----

More information about the cvs mailing list