[cvs] [Wiki] changed: SecurityTips

Jan Schneider jan at horde.org
Sun Nov 28 06:12:15 PST 2004


jan  Sun, 28 Nov 2004 06:12:15 -0800

Modified page: http://wiki.horde.org/display.php?page=SecurityTips
New Revision:  1.6

@@ -1,12 +1,15 @@
-+++ Horde Security Tips
-+++++ The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )
+++ Horde Security Tips
 
-++++ Introduction
+The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )
+
++++ Introduction
 The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl and Horde 2.2.7.
 My Apache is serving most files out of {{/var/www/html}}. Thus my Horde installation lives in {{/var/www/html/horde}}. Please keep this in mind if you are applying any of these configurations on your system.
+
 ----
-++++ Filesystem Permissions
+
++++ Filesystem Permissions
 <code>
 chown -R apache.apache /var/www/html/horde
 </code>
 This will change the user and the group of all files belonging to your Horde installation to the user and group of your Apache webserver. If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
@@ -20,11 +23,13 @@
 <code>
 chmod -R a-w   /var/www/html/horde/
 </code>
 That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (and will) cause problems if you are planning to use Horde's built-in administration routines.
+
 ----
-++++ Apache/PHP Configuration
-The Horde documentation is suggesting an awfull lot of <Directory> instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch> instruction //and// statisfy Horde's needs towards PHP on the fly:
+
++++ Apache/PHP Configuration
+The Horde documentation is suggesting an awfull lot of <Directory> instructions to secure Hore. I've found a way to limit those to one <Directory> and one <!DirectoryMatch> instruction //and// statisfy Horde's needs towards PHP on the fly:
 <code>
 <Directory "/var/www/html/horde/">
   # Only needed if you have got safe_mode globally on
   php_admin_flag  safe_mode        off
@@ -62,54 +67,57 @@
 httpd -V | grep HTTPD_ROOT
 httpd -V | grep SERVER_CONFIG_FILE
 </code>
 
-Also note that I used escaped slashes in the RegEx for the <DirectoryMatch> instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.
+Also note that I used escaped slashes in the !RegEx for the <!DirectoryMatch> instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.
 
-The <DirectoryMatch>-instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.
-<LocationMatch> prevents Horde's test.php scripts being accessed from the outside. The Horde documentation is suggesting to restrict //all// hosts. This example allows access from your local host so you can run the tests via [http://lynx.browser.org/ lynx], for instance.
+The <!DirectoryMatch>-instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.
+<!LocationMatch> prevents Horde's test.php scripts being accessed from the outside. The Horde documentation is suggesting to restrict //all// hosts. This example allows access from your local host so you can run the tests via [http://lynx.browser.org/ lynx], for instance.
 
 
 * Guide on [http://www.regular-expressions.org/ RegularExpressions]
 * [http://www.php.net/manual/en/ini.php List of core php.ini directives]
 * [http://www.php.net/manual/en/security.php PHP Security Manual]
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory <Directory>] instruction
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch <DirectoryMatch>] instruction
 * Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#locationmatch <LocationMatch>] instruction
+
 ----
-++++ MySQL Configuration
-There's little to do. If you do not need the networking part of your MySQL installation and can rely on UNIX-sockets, you can disable it by adding the following line into your {{etc/my.cnf}} in the {{[mysqld]}} section:
+
++++ !MySQL Configuration
+There's little to do. If you do not need the networking part of your !MySQL installation and can rely on UNIX-sockets, you can disable it by adding the following line into your {{etc/my.cnf}} in the {{[mysqld]}} section:
 <code>
 skip-networking
 </code>
 This will also decrease the size of your mysql-threads. if you want even more free RAM, also add:
 <code>
 skip-innodb
 skip-bdb
 </code>
-This will turn off the InnoDB addon and support for Berkeley Databases.
+This will turn off the !InnoDB addon and support for Berkeley Databases.
 
-If you absolutely //need// TCP-connections to your MySQL server, you can specify port and IP-address in the same section:
+If you absolutely //need// TCP-connections to your !MySQL server, you can specify port and IP-address in the same section:
 <code>
 bind-address=127.0.0.1
 port=3306
 </code>
-This example will bind the MySQL-server to the local host at port 3306 (MySQL default).
+This example will bind the !MySQL-server to the local host at port 3306 (!MySQL default).
 
 Also make sure that your password for Horde's database is //safe// (even if you disabled networking support).
 
 
-* MySQL Documentation -- [http://dev.mysql.com/doc/mysql/en/Server_options.html mysqld Command-Line Options]
-* MySQL Documentation -- [http://dev.mysql.com/doc/mysql/en/Security.html General Security Issues]
-* MySQL Documentation -- [http://dev.mysql.com/doc/mysql/en/MySQL_Optimization.html MySQL Optimizations]
+* !MySQL Documentation -- [http://dev.mysql.com/doc/mysql/en/Server_options.html mysqld Command-Line Options]
+* !MySQL Documentation -- [http://dev.mysql.com/doc/mysql/en/Security.html General Security Issues]
+* !MySQL Documentation -- [http://dev.mysql.com/doc/mysql/en/MySQL_Optimization.html MySQL Optimizations]
 * Informations about the [http://dev.mysql.com/doc/mysql/en/BDB_storage_engine.html Berkeley Storage Engine] (BDB)
 * Informations about the [http://dev.mysql.com/doc/mysql/en/InnoDB.html InnoDB Storage Engine]
 * [http://www.vbulletin.com/forum/archive/index.php/t-93517 Tweaked my.cnf]
+
 ----
-++++ PEAR Security
+
++++ PEAR Security
 There's only one thing: Keep your installation of PEAR up to date. Here's how:
 <code>
 pear upgrade-all
 </code>
-
 
 * [http://pear.php.net/ PHP Extension and Application Repository] (PEAR) Homepage


More information about the cvs mailing list