From d9d8fcb2ff52010be6018c330b24e6f0f3ad4e3a Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Tue, 13 Mar 2007 17:43:47 +0000 Subject: [PATCH] improved Apache part --- lam/docs/README.security.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/lam/docs/README.security.txt b/lam/docs/README.security.txt index 3f1dea28..c1b4d174 100644 --- a/lam/docs/README.security.txt +++ b/lam/docs/README.security.txt @@ -43,3 +43,24 @@ If you are experienced in configuring Apache then you can also copy the security settings from the .htaccess files to your main Apache configuration. + If possible, you should not rely on .htaccess files but also move the config and sess + directory to a place outside of your WWW root. You can put a symbolic link in the LAM + directory so that LAM finds the configuration/session files. + + + Security sensitive directories: + + config: Contains your LAM configuration and account profiles + - LAM configuration clear text passwords + - default values for new accounts + - directory must be accessibly by Apache but needs not to be accessible by the browser + + sess: PHP session files + - LAM admin password in clear text or MCrypt encrypted + - cached LDAP entries in clear text or MCrypt encrypted + - directory must be accessibly by Apache but needs not to be accessible by the browser + + tmp: temporary files + - PDF documents which may also include passwords + - images of your users + - directory contents must be accessible by browser but directory itself must not be browseable