Installing the Sherpath Groupware
---------------------------------

0. Prerequisite

required:
	apache
	php4 (with mysql, imap and gd support)
	mysql server

example: (Debian)
apt-get install apache mysql-server php4 php4-imap php4-mysql php4-gd

highly recommended:
	mailer daemon (example: sendmail)
	imap daemon (example: uw-imapd)
	ftp daemon (example: proftpd)

example: (Debian)
apt-get install sendmail uw-imapd proftpd

if you are upgrading from a previous version of Sherpath, first backup your previous installation: (example)
cd /var/www
mv -f Sherpath Sherpath.old

1. Detar the Sherpath directory in the webserver area
example:
cd /var/www
tar xvfz sherpath_xxx.tar.gz

2. Set the correct owner permissions:
example:
chown -R www-data:www-data Sherpath
or
chown -R nobody:nobody Sherpath
or
chown -R httpd:httpd Sherpath

To enhance security, you can set owner & write permissions to root only:
chown -R root:www-data Sherpath
or
chown -R root:nobody Sherpath
or
chown -R root:httpd Sherpath

3. Set the correct rights permissions:
example:
find Sherpath -type f -exec chmod 640 "{}" \;
find Sherpath -type d -exec chmod 750 "{}" \;
find Sherpath -type f -name .htaccess -exec chmod 400 "{}" \;
for file in `find Sherpath/setup -type f; find Sherpath/scripts -type f`; do
if test "`head -c3 \"$file\"`" = '#!/'; then
chmod 750 "$file"
fi
done

You can also, for security reasons, disable write access to all files:
chmod -R a-w Sherpath

4. Modify the configuration file:

Only ONE file has to be customized: 'config/setup/general.config.php3'

Just edit this file and follow the instructions.

Generally, you'll have to edit only these settings:
$DBConf["DBName"] 	= "Sherpath";		// Database name
$DBConf["Username"] 	= "www-data";		// Login for this database
$DBConf["Password"] 	= "foobar";		// Password for this database
$DBConf["Server"] 	= "localhost";		// Database server hostname
$DBConf["Port"] 	= "3306";		// Database connection port

If you upgraded from a previous Sherpath version, copy the previous configuration files:
cd /var/www
mv -f Sherpath/config/setup Sherpath/config/setup.orig
cp -ax Sherpath.old/config/setup Sherpath/config/

5. First run and tests

Run 'Sherpath/setup/database/CreateNewDatabase' to create a new database if necessary (this will erase the existing database)
Run 'Sherpath/index.php' (go to http://<yourwebserver_location>/Sherpath/ or http://<yoursherpath_location>/).

Note: If the configuration was not correct (incorrect database settings), you'll have to edit the config/general.config.php3 and retry again!


Security Notes
--------------

* General remarks

Ensure that your webserver is protected by a firewall, for example using a kernel (ipchains/iptables) firewall, and check each opened services.
Update regularly all services, and monitor the system activity (IDS).

* Apache and PHP configuration

To enhance security, you can check this list:
	enable the PHP safe_mode if you don't need the Sherpath POSIX system interface
	use the suEXEC mechanism for Apache daemon and if possible a user/group reserved only for the groupware
	check the permissions (if possible, do not give write permissions to the Apache daemon)
	only use HTTPS mode, at least for the login phase (you can even disable the non-ssl Apache daemon)

* Database configuration

Ensure that the database is protected using a strong password, with local access only.

* index.php file and directories

The index.php[4] file is the only file being called, and therefore all directories (especially configuration directories) are protected using an .htaccess file (with full reject)
Efforts were done to secure session parameters and protect sensitive variables.

* Passwords in the database

Passwords are stored in an hashed form (md5-128) in the database, and therefore are protected against direct access.
The only known attack is the dictionnary/brute force attack, like the /etc/shadow attack.

* Authentication

The username and password data are only sent during the login phase (see the '* Apache and PHP configuration' note to secure this phase) and are not stored 'as is' in the session.
A one time pad protection (random cypher mask) is splitted between the session data and the user cookie, therefore no side (client/server) has any relevant information.


