The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl.
My httproot is /var/www and I made Horde store its stuff in /var/cache and /var/log.
I'd like to here some opinions from administrators of other systems...
chown -R apache.apache /var/www/html/horde
This will change the user and the group of all files belonging to your Horde installation to the user and group of your Apache webserver. If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
If you want more restrictive settings, you might try the following:
chmod -R go-rwx /var/www/html/horde/config
chmod -R go-rwx /var/www/html/horde/*/config
This will prevent any of your config-files to be accessed from the outside. If that's not enough for you, try this:
chmod -R a-w /var/www/html/horde/
That's a bit overkill IMHO but makes all the files belonging to Horde unwritable by anyone except root. Take note that this might (an will) cause problems if you are planning to use Horde's built-in administration routines.
The Horde documentation is suggesting an awfull lot of <Directory> instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch?> instruction and statisfy Horde's needs towards PHP on the fly:
<Directory "/var/www/html/horde/">
php_admin_flag safe_mode off # Only needed if you have got safe_mode globally on
php_admin_value open_basedir "/var:/usr" # /usr b/c of PEAR. /var is needed for my installation...
php_admin_flag expose_php off # always a good idea :)
php_admin_flag display_errors off # If you do this (recomended by the PHP documentation, btw)...
php_admin_flag log_errors on # ... you need to set this also. Don't forget to specify a logfile!
php_admin_flag register_globals off
</Directory>
<DirectoryMatch "^/var/www/html/horde/(.*/)?(config|lib|locale|po|scripts|templates)(/.*)?">
order deny,allow
deny from all
</DirectoryMatch>
This way you can safely switch php_safe_modeglobaly on and still have Horde working. Please notice that you might need to modify the open_basedir directive. It includes /var in this example because there are a lot of important things in /var on my server (i.e. the cache and the logfile for Horde),
Please take note that you need to put this into your httpd.conf because the php_admin_* instructions won't work in a .htaccess file. If you do so, don't forget to use httpd -t to check for syntax errors in your httpd.conf before you restart your Apache. Apache 2.0.x allows you to place a config file into /etc/httpd/conf.d/ so you can place the whole thing into a new file /etc/httpd/conf.d/horde.conf. If the directory /etc/httpd doesn't exist on your system, you may execute the following command on a shell to find out, what your Apache's config-directoy is:
httpd -V | grep HTTPD_ROOT
Also note that I used escaped slashes in the RegEx? for the <DirectoryMatch?> instruction. Apache seems to cope with unescaped metacharacters. But since I'm using perl-RegEx most of the time, I'm used to escape those.
The <DirectoryMatch?>-instruction is restricting access to the folders config, lib, locale, po, scripts and templates in Horde and all its applications.
Interesting read: