[horde] protecting config dir passwords

Eric Rostetter eric.rostetter at physics.utexas.edu
Sun Jun 8 17:44:31 PDT 2003 

Quoting anthony <apryan at erols.com>:

> Hello,
>     I am looking for a solution in protecting the config dir from being read
> by users on the same unix machine as the webserver.

>From CVS HEAD's horde/doc/SECURITY:

If you use a Unix system, one way to make the configuration files and
directories accessible only to the web server is as follows.  Here we
assume that the web server runs as the user "apache" and the files
are located in /home/httpd/html -- substitute the correct user or file
path if needed.
 
# chown -R apache /home/httpd/html/horde/config
# chown -R apache /home/httpd/html/horde/*/config
# chmod -R go-rwx /home/httpd/html/horde/config
# chmod -R go-rwx /home/httpd/html/horde/*/config
                                                                                
For completely fascist permissions, you can make the entire Horde tree
inaccessible by anyone except the web server user (and root):
                                                                                
# chown -R apache /home/httpd/html/horde
# chmod -R go-rwx  /home/httpd/html/horde
# chmod -R a-w   /home/httpd/html/horde/
                                                                                
Note that the last line makes all files unwritable by any user (only root
can override this).  This makes the site secure, but may make it more
difficult to administrate.  In particular, it will defeat the Horde
administrative configuration interface, forcing you to update the Horde
configuration files manually (as per the INSTALL instructions).
                                                                               
>  Also, chmod'ing with
> the user and group of apache, would allow any users who has apache setups to
> simply create a script to see the file.

Only if you allow your users to execute scripts (I don't) and if those
scripts are not run in a chroot environment and/or under that user's
credentials.  You should not be allowing your users to run scripts as
the apache user outside of a chroot jail.  You should at least run
something like suexec that makes the user's scripts run under their
own user account rather than as apache.
 
>     Any ideas besides relocating the data?

Yes.  Standard apache configuration issues...

> thanks

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!

More information about the horde mailing list