IMP Security Notes                                             docs/SECURITY
=--------------------------------------------------------------------------=

$Author: bjn $
$Revision: 1.1.2.1 $
$Date: 2000/04/26 20:04:14 $


Preventing local users from reading configuration files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Horde and IMP configuration files contain sensitive data (such
as database passwords) that should not be read by local system users.
If your IMP server allows untrusted users to log in, one way to make the
configuration directories accessible only to the web server is as follows:

	# chown nobody:nobody /home/httpd/html/horde/config
	# chown nobody:nobody /home/httpd/html/horde/imp/config
	# chmod o-rwx /home/httpd/html/horde/config
	# chmod o-rwx /home/httpd/html/horde/imp/config

This assumes that the web server runs as user "nobody" (typical for
Apache); if not, you'll want to change the above commands accordingly.
Also note that other applications (such as NFS) can run as "nobody",
so this may not be a complete solution for your environment.


Preventing Apache from serving configuration files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Horde and IMP configuration files contain sensitive data (such as
database passwords) that should not be served by the web server. One way
to prevent this is to add sections to httpd.conf such as the following:

<Directory "/home/httpd/html/horde/config">
    order deny,allow
    deny from all
</Directory>
<Directory "/home/httpd/html/horde/imp/config">
    order deny,allow
    deny from all
</Directory>


Web-based setup script
~~~~~~~~~~~~~~~~~~~~~~
Note that the file setup.php3 can be used to configure IMP over the
web. This is insecure. For this reason, it should not be readable while
IMP is in use, and IMP, in fact, checks to make sure that it is not.
Please see the docs/INSTALL file on the use of install.sh and secure.sh
before and after configuring IMP with setup.php3.


Caching
~~~~~~~
All caching flags have been flipped in order to make sure that no
caching takes place. You can turn on web local caching within your
defaults.php3 file (default->cache_pages) but it isn't recommended as
it is a security risk. Netscape doesn't handle non-cached pages very
well and if you are in a compose window and you resize your screen you
will lose the data inside of it. Mozilla/Netscape5 will change this.


Using a secure web server
~~~~~~~~~~~~~~~~~~~~~~~~~
index.php3 is the root of the frame system. If you want IMP to use a secure
connection (SSL), then you need to somehow make sure that users access IMP
as https://your.server.here/your/path/to/imp/, not as http://blah... 


Additional Notes
~~~~~~~~~~~~~~~~
This is by far not a complete HOWTO. This is just a compiled list of what
people have contributed so far. If you have tips, ideas, suggestions or
anything else that you think could help others in securing their IMP
installation, please let us know. <dev@horde.org>
