eGroupWare for Debian ===================== Table of Contents ----------------- - General - Security Advisory - Preparation Steps for PostgreSQL - Preparation Steps for MySQL - LDAP Setup General ------- It is highly recommended that eGroupWare only be accessible through SSL (https). This will protect the transmission of your users' passwords and personal data. Users of Apache 1 can achieve that by configuring eGroupWare only for Apache-SSL. For users of Apache 2, it may be necessary to explicitly disable access to eGroupWare without SSL, for example with the following configuration in the respective virtual host definition: Order deny,allow Deny from all The URL for the eGroupWare installation is of the form . You can change this and some other web-related settings in /etc/egroupware/apache.conf. But you first need to do some setup, so read on ... Please log in to the web-based eGroupWare setup tool after installing or upgrading the eGroupWare packages. The URL is of the form . If this is your first installation, you should first prepare the database management system of your choice and optionally an LDAP server as outlined below. The connection parameters for the database and optionally the LDAP server must later be entered in the setup tool. Also log in to the web-based setup tool before uninstalling eGroupWare application packages to unregister those applications. The Debian package management system cannot do that automatically. If you forget that, you will have leftovers from the uninstalled applications in the database. (If you forget, you can reinstall the package, unregister the application, and remove it again.) The eGroupWare Debian package does not clear out or drop the database when the package is purged. You need to do that yourself. Security Advisory ----------------- eGroupWare stores the database password in plain text in /var/lib/egroupware/header.inc.php. This file is readable by the user www-data, which means that every user that can execute user-defined scripts (PHP, CGI, etc.) running as the web server user www-data can read this file and steal all your eGroupWare data. Therefore you should do at least one of the following: - Don't allow any untrusted users on your machine. - Don't allow any untrusted users to run their own PHP, CGI, etc. - Make sure all the user-defined content is run as a different user, for example using suEXEC. Alternatively, you may want to run eGroupWare as a separate user or in a separate Apache instance altogether, but this is nontrivial to set up and not supported by this package (yet). Suggestions are welcome. Preparation Steps for PostgreSQL -------------------------------- The PostgreSQL database system can be on a remote host, of course. Substitute the appropriate IP addresses below. Create a user and database for eGroupWare: # su - postgres $ createuser -A -D -P egroupware [enter a password for the user when prompted] $ createdb egroupware You need to configure PostgreSQL to allow connections from the web server. This is not allowed by default. Add a line like this to /etc/postgresql/x.y/foo/pg_hba.conf (where "x.y" is the version number such as "8.1", and "foo" is the name of the cluster instance such as "main"), most simply before all other records: host egroupware egroupware 127.0.0.1 255.255.255.255 md5 (This allows any OS user from 127.0.0.1 to connect to the PostgreSQL database "egroupware" as PostgreSQL user "egroupware" if they can supply a valid password.) If you are using PostgreSQL 7.4, you need to allow TCP/IP access to the database server by setting the parameter tcpip_socket to true in postgresql.conf. In 8.0 and later, the parameter is called listen_addresses and the default is sufficient. After having made these changes, run # /etc/init.d/postgresql-x.y reload More information about PostgreSQL client authentication can be found in the file /usr/share/doc/postgresql-doc-x.y/html/client-authentication.html in the package postgresql-doc-x.y. Preparation Steps for MySQL --------------------------- Set up a database for eGroupWare and grant user access: $ mysql -u root mysql> CREATE DATABASE egroupware; mysql> GRANT ALL ON egroupware.* TO 'egroupware'@'localhost' IDENTIFIED BY "password"; If the MySQL server is on a remote host, substitute the name of the host of the web server for localhost in the statement above. Additionally, the option bind-address in /etc/mysql/my.cnf may need to be changed to accept connections from remote hosts. LDAP Setup ---------- To be able to store eGroupWare user or addressbook data in an LDAP server (not required; you can use an SQL database): 1. Install the package egroupware-ldap on the machine hosting the LDAP server (only OpenLDAP 2.x is supported), and follow the instructions in its /usr/share/doc/egroupware-ldap/README.Debian. This prepares the LDAP server for eGroupWare data. 2. Follow the instructions in /usr/share/doc/egroupware-core/setup/README.ldap.gz once you are in the domain configuration phase. This tells eGroupWare to use the LDAP server. -- Peter Eisentraut , August 2006