There are various ways to set up file/directory level permissions on an OpenIMS server. The default setup allows OpenIMS to udate itself but in several cases tigther security is required, and in case of DMZ servers, even recommended.
In general all files and directories can be made read only for the webserver (Apache) with some exceptions. The webserver needs modification rights for the directories in the document root ending in _sites, _com and _nl and the metabase, ufc, dfc, backups, config and tmp directories in the document root. All other files and directories, including all PHP files can be made read only for the webserver process. E.g. by executing a "find | grep [.]php$ | xargs chmod 0755" command for Linux servers where the owner of the PHP files is not Apache.
The following options in httpd.conf can be used:
SSLProtocol all -SSLv2
expose_php = off
Also, the following options in httpd.conf can be commented out:
# Alias /icons
# ScriptAlias /cgi-bin
An OpenIMS server must be able to read its own (extended) server status at http://<<<server_ip>>>/server-status. For support, it is also desirable that developers and helpdesk can read the server status and the included phpinfo script. Access can be limited to designated IP's using the following configuration:
Deny from all
Allow from 127.0.0.1 ::1 <<<IP_OF_THE_SERVER>>> <<<SUPPORT_IPS>>>
Support_IPS zijn op het moment van schrijven 126.96.36.199 en 188.8.131.52. (Ziggo en kpn vdsl).
<Files ~ "phpinfo\.php$">
Deny from all
Allow from 127.0.0.1 <<<IP_OF_THE_SERVER>>> <<<SUPPORT_IPS>>>