[cvs] [Wiki] changed: SecurityTips

Wiki Guest wiki at wiki.horde.org
Sat Nov 27 12:25:40 PST 2004 

guest [217.184.155.24]  Sat, 27 Nov 2004 12:25:40 -0800

Modified page: http://wiki.horde.org/display.php?page=SecurityTips
New Revision:  1.3

@@ -1,11 +1,10 @@
 +++ Horde Security Tips
 +++++ The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )
 
 ++++ Introduction
-The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl.
-My httproot is {{/var/www}} and I made Horde store its stuff in {{/var/cache}} and {{/var/log}}.
-I'd like to here some opinions from administrators of other systems...
+The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl and Horde 2.2.7.
+My Apache is serving most files out of {{/var/www/html}}. Thus my Horde installation lives in {{/var/www/html/horde}}. Please keep this in mind if you are applying any of these configurations on your system.
 ----
 ++++ Filesystem Permissions
 <code>
 chown -R apache.apache /var/www/html/horde
@@ -26,34 +25,55 @@
 ++++ Apache/PHP Configuration
 The Horde documentation is suggesting an awfull lot of <Directory> instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch> instruction //and// statisfy Horde's needs towards PHP on the fly:
 <code>
 <Directory "/var/www/html/horde/">
-  php_admin_flag  safe_mode        off         # Only needed if you have got safe_mode globally on
-  php_admin_value open_basedir     "/var:/usr" #	/usr b/c of PEAR. /var is needed for my installation...
-  php_admin_flag  expose_php       off         # always a good idea :)
-  php_admin_flag  display_errors   off         # If you do this (recomended by the PHP documentation, btw)...
-  php_admin_flag  log_errors       on          # ... you need to set this also. Don't forget to specify a logfile!
+  # Only needed if you have got safe_mode globally on
+  php_admin_flag  safe_mode        off
+
+  # /usr b/c of PEAR. /var is needed for my installation...
+  php_admin_value open_basedir     "/var:/usr" 
+
+  # always a good idea :)
+  php_admin_flag  expose_php       off
+
+  # If you do this (recomended by the PHP documentation, btw)...
+  php_admin_flag  display_errors   off
+
+  # ... you need to set this also - otherwise you'll have no idea what's wrong if something doesn't work.
+  # Don't forget to specify a logfile in your php.ini or elsewhere!
+  php_admin_flag  log_errors       on
   php_admin_flag  register_globals off
 </Directory>
 
-<DirectoryMatch "^/var/www/html/horde/(.*/)?(config|lib|locale|po|scripts|templates)(/.*)?">
+<DirectoryMatch "^\/var\/www\/html\/horde\/(.*\/)?(config|lib|locale|po|scripts|templates)(\/.*)?">
   order deny,allow
   deny  from all
 </DirectoryMatch>
+
+<LocationMatch "^\/horde\/(.*\/)?test\.php">
+  order deny,allow
+  deny  from all
+  allow from localhost
+</LocationMatch>
 </code>
-This way you can safely switch {{php_safe_mode}}globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),
+This way you can safely switch {{php_safe_mode}} globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),
 
 Please take note that you need to put this into your httpd.conf because the {{php_admin_*}} instructions won't work in a .htaccess file. If you do so, don't forget to use {{httpd -t}} to check for syntax errors in your httpd.conf before you restart your Apache. Apache 2.0.x allows you to place a config file into {{/etc/httpd/conf.d/}} so you can place the whole thing into a new file {{/etc/httpd/conf.d/horde.conf}}. If the directory {{/etc/httpd}} doesn't exist on your system, you may execute the following command on a shell to find out, what your Apache's config-directoy is:
 <code>
 httpd -V | grep HTTPD_ROOT
+httpd -V | grep SERVER_CONFIG_FILE
 </code>
 
 Also note that I used escaped slashes in the RegEx for the <DirectoryMatch> instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.
 
 The <DirectoryMatch>-instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.
+<LocationMatch> prevents Horde's test.php scripts being accessed from the outside. The Horde documentation is suggesting to restrict //all// hosts. This example allows access from your localhost so you can run the tests via lynx, for instance.
+
 Interesting read:
 * Guide on [http://www.regular-expressions.org RegularExpressions]
 * [http://www.php.net/manual/en/ini.php List of core php.ini directives]
 * [http://www.php.net/manual/en/security.php PHP Security Manual]
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory <Directory>] instruction
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch <DirectoryMatch>] instruction
+* Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#locationmatch <LocationMatch>] instruction
 ----
+++++ MySQL Configuration

More information about the cvs mailing list