Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: horde - php application framework https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189195 ------- Additional Comments From holbrookbw@xxxxxxxxxxxxxxxxxxxxx 2006-04-19 02:01 EST ------- Spec URL: http://theholbrooks.org/RPMS/horde.spec SRPM URL: http://theholbrooks.org/RPMS/horde-3.1.1-9.7.src.rpm (In reply to comment #1) > * config files MUST not be under /usr; place them under /etc or /var > (see below) > > * horde requires write access to the config files (they are editable > through the web interface); so permissions should be 0660 for > root:apache or even apache ownership. These files should be located > under /var > > Perhaps location of the config files can be changed in the code, > perhaps you have to use symlinks for that Using symlinks, and rewriting horde's configuration a little, I have relocated horde's config files to /var/lib/horde, all 0660 apache:apache > > * the 'locale/*/horde.mo' files should be annotated with the corresponding > %lang() tags; it would be probably the best to move them to the > %regular /usr/share/locale and run '%find_lang horde' I've done the first part, labeled all the locales with the %lang() macro, but I'm not sure if %find_lang applied in this situation. All the horde locales are specified as ar_SY, bg_BG, en_US, etc... but most of the locales in /usr/share/locale is just the 2-letter ar, bg, en, etc. Is find_lang smart enough to overcome this, should I run some logic to figure it out myself, or should they be copied in as-is? > > * docs/ should be removed and packaged like > > | %doc docs/* Done > > * it might be a good idea to restrict the initial visibility of Horde > to localhost; e.g. by adding > > | <Directory /usr/share/horde> > | Allow from 127.0.0.1 > | Deny from all > | </Directory> > > to the apache configuration. Done > > What is with the authentication during the initial setup? Is there > a non-default password required for the 'Administrator' user? If > not, some modifications shall be done to avoid that an unconfigured > Horde installation can be run by unauthorized users. > There isn't any authentication during the inital setup, the browser is automatically logged in as Administrator. By default, Horde's "Authentication Mechanism" (configurable in 'Setup|Authentication') is set to "Automatically authenticate as a certain user", and the end user can then change that to HTTP, LDAP, whatever... For an added level of obscurity, I could make HTTP the default, and include an .htaccess file with a name and password, but it would be the same password for every installation and not really any more secure than the default no-password setup. Is this unacceptable? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.