Horde/IMP Security Notes                                       docs/SECURITY
=--------------------------------------------------------------------------=

$Horde: imp/docs/SECURITY,v 1.1.2.7 2000/10/18 19:52:53 bjn Exp $


Default database password is a security hole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Horde and IMP documentation and sample database creation scripts
create a user "hordemgr" with password "hordemgr" for accessing the
horde database.  Using this password in a production environment is a
security hole, since an attacker will easily guess it.

It is very important that you change the password of the "hordemgr"
user to something secure.  The horde/scripts/database/dbpasswd.sh
script can be used to make this change, or alter the instructions in
horde/docs/DATABASE to set a different password.

IMP will display an error on the login page if the default database
password is in use.  If you insist on using the default password (NOT
RECOMMENDED), the error can be turned off in imp/config/defaults.php3
by setting "$default->db_security_nag = false".


Preventing local users from reading configuration files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The PHPLIB, Horde, and IMP configuration files contain sensitive data
(such as database passwords) that should not be read by local system
users.  If your IMP server allows untrusted users to log in, one way to
make the configuration directories accessible only to the web server is
as follows:

	# chgrp nobody /home/httpd/horde-phplib/local.inc
	# chgrp -R nobody /home/httpd/html/horde/config
	# chgrp -R nobody /home/httpd/html/horde/imp/config
	# chmod o-rwx /home/httpd/horde-phplib/local.inc
	# chmod -R o-rwx /home/httpd/html/horde/config
	# chmod -R o-rwx /home/httpd/html/horde/imp/config

(The paths above will vary depending on where you have PHPLIB and Horde
installed.)  For completely fascist permissions, you can make the entire
PHPLIB/Horde/IMP trees inaccessible except by the web server:

	# chgrp -R nobody /home/httpd/horde-phplib
	# chgrp -R nobody /home/httpd/html/horde
	# chmod -R o-rwx /home/httpd/horde-phplib
	# chmod -R o-rwx /home/httpd/html/horde

This assumes that the web server runs as group "nobody" (typical for
Apache); if not, you'll want to change the above commands accordingly.
Also note that other applications (such as NFS) can run as "nobody",
so this may not be a complete solution for your environment.


Preventing Apache from serving configuration and source files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Horde and IMP configuration files contain sensitive data (such as
database passwords) that should not be served by the web server.  Other
directories contain PHP source code that isn't intended for viewing
by end-users.  One way to prevent the web server from serving these
files is to add sections to httpd.conf such as the following:

<Directory "/home/httpd/html/horde/config">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/lib">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/locale">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/templates">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/imp/config">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/imp/lib">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/imp/locale">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/imp/templates">
    order deny,allow
    deny from all
</Directory>


Web-based setup script
~~~~~~~~~~~~~~~~~~~~~~
Note that the file setup.php3 can be used to configure IMP over the
web. This is insecure. For this reason, it should not be readable while
IMP is in use, and IMP, in fact, checks to make sure that it is not.
Please see the docs/INSTALL file on the use of install.sh and secure.sh
before and after configuring IMP with setup.php3.


Caching
~~~~~~~
All caching flags have been flipped in order to make sure that no
caching takes place. You can turn on web local caching within your
defaults.php3 file (default->cache_pages) but it isn't recommended as
it is a security risk. Netscape doesn't handle non-cached pages very
well and if you are in a compose window and you resize your screen you
will lose the data inside of it. Mozilla/Netscape5 will change this.


Using a secure web server
~~~~~~~~~~~~~~~~~~~~~~~~~
index.php3 is the root of the frame system. If you want IMP to use a secure
connection (SSL), then you need to somehow make sure that users access IMP
as https://your.server.here/your/path/to/imp/, not as http://blah... 


Additional Notes
~~~~~~~~~~~~~~~~
This is by far not a complete HOWTO. This is just a compiled list of what
people have contributed so far. If you have tips, ideas, suggestions or
anything else that you think could help others in securing their IMP
installation, please let us know. <dev@lists.horde.org>
