+++ Horde Security Tips

+++++ The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )

++++ Introduction

The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl and Horde 2.2.7.

My Apache is serving most files out of {{/var/www/html}}. Thus my Horde installation lives in {{/var/www/html/horde}}. Please keep this in mind if you are applying any of these configurations on your system.

++++ Filesystem Permissions

This will change the user and the group of all files belonging to your Horde installation to the user and group of your Apache webserver. If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.

If you want more restrictive settings, you might try the following:

This will prevent any of your config-files to be accessed from the outside. If that's not enough for you, try this:

That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (an will) cause problems if you are planning to use Horde's built-in administration routines.

++++ Apache/PHP Configuration

The Horde documentation is suggesting an awfull lot of instructions to secure Hore. I've found a way to limit those to one and one instruction //and// statisfy Horde's needs towards PHP on the fly:

This way you can safely switch {{php_safe_mode}} globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),

Please take note that you need to put this into your httpd.conf because the {{php_admin_*}} instructions won't work in a .htaccess file. If you do so, don't forget to use {{httpd -t}} to check for syntax errors in your httpd.conf before you restart your Apache. Apache 2.0.x allows you to place a config file into {{/etc/httpd/conf.d/}} so you can place the whole thing into a new file {{/etc/httpd/conf.d/horde.conf}}. If the directory {{/etc/httpd}} doesn't exist on your system, you may execute the following command on a shell to find out, what your Apache's config-directoy is:

Also note that I used escaped slashes in the RegEx for the instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.

The -instruction is restricting access to the folders //config//, //lib//, //locale//, //po//, //scripts// and //templates// in Horde and all its applications.

prevents Horde's test.php scripts being accessed from the outside. The Horde documentation is suggesting to restrict //all// hosts. This example allows access from your localhost so you can run the tests via lynx, for instance.

Interesting read:

• Guide on [http://www.regular-expressions.org RegularExpressions]

• [http://www.php.net/manual/en/ini.php List of core php.ini directives]

• [http://www.php.net/manual/en/security.php PHP Security Manual]

• Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory ] instruction

• Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch ] instruction

• Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#locationmatch ] instruction

++++ MySQL Configuration