+++ Horde Security Tips
+++++ The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )
++++ Introduction
The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl.
My httproot is {{/var/www}} and I made Horde store its stuff in {{/var/cache}} and {{/var/log}}.
I'd like to here some opinions from administrators of other systems...
++++ Filesystem Permissions
chown -R apache.apache /var/www/html/horde
This will change the user and the group of all files belonging to your Horde installation to the user and group of your Apache webserver. If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
If you want more restrictive settings, you might try the following:
chmod -R go-rwx /var/www/html/horde/config
chmod -R go-rwx /var/www/html/horde/*/config
This will prevent any of your config-files to be accessed from the outside. If that's not enough for you, try this:
chmod -R a-w /var/www/html/horde/
That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (an will) cause problems if you are planning to use Horde's built-in administration routines.
++++ Apache/PHP Configuration
The Horde documentation is suggesting an awfull lot of
<Directory "/var/www/html/horde/">
php_admin_flag safe_mode off # Only needed if you have got safe_mode globally on
php_admin_value open_basedir "/var:/usr" # /usr b/c of PEAR. /var is needed for my installation...
php_admin_flag expose_php off # always a good idea :)
php_admin_flag display_errors off # If you do this (recomended by the PHP documentation, btw)...
php_admin_flag log_errors on # ... you need to set this also. Don't forget to specify a logfile!
php_admin_flag register_globals off
<DirectoryMatch "^/var/www/html/horde/(./)?(config|lib|locale|po|scripts|templates)(/.)?">
order deny,allow
deny from all
This way you can safely switch {{php_safe_mode}}globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),
Please take note that you need to put this into your httpd.conf because the {{php_admin_*}} instructions won't work in a .htaccess file. If you do so, don't forget to use {{httpd -t}} to check for syntax errors in your httpd.conf before you restart your Apache. Apache 2.0.x allows you to place a config file into {{/etc/httpd/conf.d/}} so you can place the whole thing into a new file {{/etc/httpd/conf.d/horde.conf}}. If the directory {{/etc/httpd}} doesn't exist on your system, you may execute the following command on a shell to find out, what your Apache's config-directoy is:
httpd -V | grep HTTPD_ROOT
Also note that I used escaped slashes in the RegEx for the
The
Interesting read:
Guide on [http://www.regular-expressions.org RegularExpressions]
[http://www.php.net/manual/en/ini.php List of core php.ini directives]
[http://www.php.net/manual/en/security.php PHP Security Manual]
Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory
Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch