[cvs] [Wiki] changed: SecurityTips

Wiki Guest wikiguest at horde.org
Mon Oct 30 09:00:38 PST 2006 

guest [217.191.130.250]  Mon, 30 Oct 2006 09:00:38 -0800

Modified page: http://wiki.horde.org/SecurityTips
New Revision:  2.1
Change log:  Few improvements and updated informations

@@ -8,9 +8,9 @@
  
  ----
  
  +++ Introduction
-The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl and Horde 2.2.7.
+The configuration examples here have been tested by me on a Fedora Core 3 system running Apache 2.2.3 with mod_ssl and Horde 3.1.3.
  My Apache is serving most files out of {{/var/www/html}}. Thus my Horde installation lives in {{/var/www/html/horde}}. Please keep this in mind if you are applying any of these configurations on your system.
  
  ----
  
@@ -28,9 +28,14 @@
  This will prevent any of your config-files to be accessed from the outside. If that's not enough for you, try this:
  <code>
  chmod -R a-w   /var/www/html/horde/
  </code>
-That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (and will) cause problems if you are planning to use Horde's built-in administration routines.
+That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (and will) cause problems if you are planning to use Horde's built-in administration routines. To lift this a bit, you can restrict write-access to the only files that really need to be written by the webserver:
+<code>
+chmod u+w /var/www/html/horde/config/config.php*
+chmod u+w /var/www/html/horde/config/*/config.php*
+</code>
+Explanation: config.php will be your newly generated configuration file, config.php.bak will be a backup of your old one
  
  ----
  
  +++ Apache/PHP Configuration
@@ -40,10 +45,12 @@
    Options none
    # Only needed if you have got safe_mode globally on
    php_admin_flag  safe_mode        off
  
-  # /usr b/c of PEAR. /var is needed for my installation...
-  php_admin_value open_basedir     "/var:/usr" 
+  # /usr/share/pear is needed for PEAR. /var/www/html/horde is needed for Horde itself
+  # You might want to add /usr/bin for applications like Chora that are calling external binaries
+  # TODO: Set an appropriate include_path, too. Might even increase speed a bit.
+  php_admin_value open_basedir     "/var/www/html/horde:/usr/share/pear" 
  
    # always a good idea :)
    php_admin_flag  expose_php       off
  
@@ -55,13 +62,15 @@
    php_admin_flag  log_errors       on
    php_admin_flag  register_globals off
  </Directory>
  
+# Deny access to files that are not served directly by the webserver
  <DirectoryMatch "^/var/www/html/horde/(.*/)?(config|lib|locale|po|scripts|templates)/(.*)?">
    order deny,allow
    deny  from all
  </DirectoryMatch>
  
+# Deny access to the test.php files except from localhost
  <LocationMatch "^/horde/(.*/)?test.php">
    order deny,allow
    deny  from all
    allow from localhost
@@ -77,9 +86,9 @@
  
  Also note that I used escaped slashes in the !RegEx for the <!DirectoryMatch> instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.
  
  The <!DirectoryMatch>-instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.
-<!LocationMatch> prevents Horde's test.php scripts being accessed from the outside. The Horde documentation is suggesting to restrict //all// hosts. This example allows access from your local host so you can run the tests via [http://lynx.browser.org/ lynx], for instance.
+<!LocationMatch> prevents Horde's test.php scripts being accessed from the outside. The Horde documentation is suggesting to restrict //all// hosts. This example allows access from your local host so you can run the tests via [http://lynx.browser.org/ lynx] or a SSH tunnel.
  
  
  * Guide on [http://www.regular-expressions.org/ RegularExpressions]
  * [http://www.php.net/manual/en/ini.php List of core php.ini directives]
@@ -109,9 +118,9 @@
  </code>
  This example will bind the !MySQL-server to the local host at port 3306 (!MySQL default).
  
  Also make sure that your password for Horde's database is //safe// (even if you disabled networking support).
-
+**Hint:** phpMyAdmin 2.7+ lets you generate randomized passwords consisting of all printable characters with sufficient length.
  
  * !MySQL Documentation -- [http://dev.mysql.com/doc/refman/5.0/en/server-options.html mysqld Command-Line Options]
  * !MySQL Documentation -- [http://dev.mysql.com/doc/refman/5.0/en/security.html General Security Issues]
  * !MySQL Documentation -- [http://dev.mysql.com/doc/refman/5.0/en/optimizing-the-server.html MySQL Optimizations]
@@ -125,6 +134,7 @@
  There's only one thing: Keep your installation of PEAR up to date. Here's how:
  <code>
  pear upgrade-all
  </code>
+It's perfectly safe to put this into your crontab to let PEAR upgrade itself.
  
  * [http://pear.php.net/ PHP Extension and Application Repository] (PEAR) Homepage

More information about the cvs mailing list