restricting access to local.inc

Brent J. Nordquist bjn@horde.org
Wed, 14 Mar 2001 05:54:11 -0600 (CST)

Previous message: [imp] Little bug in imp 2.3.7
Next message: Still Postgres Persistent Conections problems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In bug 636 Prakash <ppuru@yahoo.com> writes:

> I have tried configuring the rights to local.inc as per the security
> document provided with the IMP distribution.
>
> I am not able to restrict access to local.inc.
>
> The current rights are
>
> ownership nobody.nobody , rwxr-x---

There are two types of access you need to be concerned about; you didn't
say which one you meant so I'll address them both.

(1)  Access by local users (from a shell on the IMP server).  The
permissions you have above are sufficient, assuming your Apache server
runs as user "nobody" group "nobody".  (Even better would be ownership
root.nobody, rwxr-x---, because it would prevent someone from using a bug
in Apache to alter local.inc).

(2)  Access by remote users (through a web browser).  Here, you can do two
things.  (a)  Install your PHPLIB directory outside the Apache documents
root (e.g., if your Horde is installed as /usr/local/apache/htdocs/horde
and htdocs is your documents root, put PHPLIB in
/usr/local/apache/phplib).  (b)  Use Apache configuration directives to
prevent the web server from serving the file... examples of those are in
imp/docs/SECURITY... just add another set for phplib.

-- 
Brent J. Nordquist <bjn@horde.org>
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942

Previous message: [imp] Little bug in imp 2.3.7
Next message: Still Postgres Persistent Conections problems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]