improved Apache part

2007-03-13 17:43:47 +00:00 · 2007-03-13 17:43:47 +00:00 · d9d8fcb2ff
parent 8fd384ce58
commit d9d8fcb2ff
1 changed files with 21 additions and 0 deletions
--- a/lam/docs/README.security.txt
+++ b/lam/docs/README.security.txt
@ -43,3 +43,24 @@
   If you are experienced in configuring Apache then you can also copy the security settings
   from the .htaccess files to your main Apache configuration.

+   If possible, you should not rely on .htaccess files but also move the config and sess
+   directory to a place outside of your WWW root. You can put a symbolic link in the LAM
+   directory so that LAM finds the configuration/session files.
+
+
+   Security sensitive directories:
+
+   config: Contains your LAM configuration and account profiles
+           - LAM configuration clear text passwords
+           - default values for new accounts
+           - directory must be accessibly by Apache but needs not to be accessible by the browser
+
+   sess: PHP session files
+         - LAM admin password in clear text or MCrypt encrypted
+         - cached LDAP entries in clear text or MCrypt encrypted
+         - directory must be accessibly by Apache but needs not to be accessible by the browser
+
+   tmp: temporary files
+        - PDF documents which may also include passwords
+        - images of your users
+        - directory contents must be accessible by browser but directory itself must not be browseable