The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl.
My httproot is /var/www and I made Horde store its stuff in /var/cache and /var/log.
I'd like to here some opinions from administrators of other systems...
chown -R apache.apache /var/www/html/horde
If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
The Horde documentation is suggesting an awfull lot of <Directory>-instructions to secure Hore. I've found a way to limit those to one <Directory> and one <DirectoryMatch> instruction and statisfy Horde's demands to PHP on the fly:
<Directory "/var/www/html/horde/">
php_admin_flag safe_mode off
php_admin_value include_dir "/usr/share/pear"
php_admin_value open_basedir "/var:/usr"
php_admin_flag expose_php off
php_admin_flag display_errors off
php_admin_flag log_errors on
php_admin_flag register_globals off
</Directory>
<DirectoryMatch "^\/var\/www\/html\/horde\/(.*\/)?(config|lib|locale|po|scripts|templates)(\/.*)?">
order deny,allow
deny from all
</DirectoryMatch>
This way you can safely switch php_safe_modeglobaly on and still have Horde working. Please notice that you might need to modify the open_basedir directive. It includes /var in this example because there are a lot of important things in /var on my server (i.e. the cache and the logfile for Horde),
The <DirectoryMatch>-instruction is restricting access to the folders config, lib, locale, po, scripts and templates in Horde and all its applications.
Interesting read: