diff options
| author | barnboy%trilobyte.net <> | 2001-03-08 14:35:44 +0100 |
|---|---|---|
| committer | barnboy%trilobyte.net <> | 2001-03-08 14:35:44 +0100 |
| commit | 6b607da839992bead01d7cba308f216e17eed520 (patch) | |
| tree | dce2e5e7aac71ccb906eb18b292712e93cd1ed85 /docs/html/security.html | |
| parent | 3208181dc05fa0633e6cde53fec641f1db4b35ef (diff) | |
| download | bugzilla-6b607da839992bead01d7cba308f216e17eed520.tar.gz bugzilla-6b607da839992bead01d7cba308f216e17eed520.tar.xz | |
Documentation update; added docs/sgml, docs/html, docs/txt.
No text version of The Bugzilla Guide availabe yet, however.
Diffstat (limited to 'docs/html/security.html')
| -rw-r--r-- | docs/html/security.html | 299 |
1 files changed, 299 insertions, 0 deletions
diff --git a/docs/html/security.html b/docs/html/security.html new file mode 100644 index 000000000..5f04fed98 --- /dev/null +++ b/docs/html/security.html @@ -0,0 +1,299 @@ +<HTML +><HEAD +><TITLE +>Bugzilla Security</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.61 +"><LINK +REL="HOME" +TITLE="The Bugzilla Guide" +HREF="index.html"><LINK +REL="UP" +TITLE="Administering Bugzilla" +HREF="administration.html"><LINK +REL="PREVIOUS" +TITLE="Product, Component, Milestone, and Version Administration" +HREF="programadmin.html"><LINK +REL="NEXT" +TITLE="Using Bugzilla" +HREF="using.html"></HEAD +><BODY +CLASS="SECTION" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>The Bugzilla Guide</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="programadmin.html" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +>Chapter 3. Administering Bugzilla</TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="using.html" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="SECTION" +><H1 +CLASS="SECTION" +><A +NAME="SECURITY" +>3.4. Bugzilla Security</A +></H1 +><TABLE +BORDER="0" +WIDTH="100%" +CELLSPACING="0" +CELLPADDING="0" +CLASS="EPIGRAPH" +><TR +><TD +WIDTH="45%" +> </TD +><TD +WIDTH="45%" +ALIGN="LEFT" +VALIGN="TOP" +><I +><P +><I +>Putting your money in a wall safe is better protection than depending on the fact that + no one knows that you hide your money in a mayonnaise jar in your fridge.</I +></P +></I +></TD +></TR +></TABLE +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" +><P +><B +>Note: </B +> Poorly-configured MySQL, Bugzilla, and FTP installations have given attackers full + access to systems in the past. Please take these guidelines seriously, even + for Bugzilla machines hidden away behind your firewall. 80% of all computer + trespassers are insiders, not anonymous crackers. + </P +></BLOCKQUOTE +></DIV +><P +> First thing's first: Secure your installation. + <DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" +><P +><B +>Note: </B +> These instructions must, of necessity, be somewhat vague since Bugzilla runs on so many different + platforms. If you have refinements of these directions for specific platforms, please + submit them to <A +HREF="mailto://mozilla-webtools@mozilla.org" +TARGET="_top" +>mozilla-webtools@mozilla.org</A +> + </P +></BLOCKQUOTE +></DIV +> + <P +></P +><OL +TYPE="1" +><LI +><P +> Ensure you are running at least MysQL version 3.22.32 or newer. Earlier versions had + notable security holes and poorly secured default configuration choices. + </P +></LI +><LI +><P +><EM +>There is no substitute for understanding the tools on your system!</EM +> + Read <A +HREF="http://www.mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html" +TARGET="_top" +> The MySQL Privelege System</A +> until you can recite it from memory!</P +><P +> At the very least, ensure you password the "mysql -u root" account and the "bugs" account, establish grant + table rights (consult the Keystone guide in Appendix C: The Bugzilla Database for some easy-to-use details) + that do not allow CREATE, DROP, RELOAD, SHUTDOWN, and PROCESS for user "bugs". I wrote up the Keystone + advice back when I knew far less about security than I do now : ) + </P +></LI +><LI +><P +> Lock down /etc/inetd.conf. Heck, disable inet entirely on this box. It should only listen to + port 25 for Sendmail + and port 80 for Apache. + </P +></LI +><LI +><P +>Do not run Apache as "nobody". This will require very lax permissions in your Bugzilla directories. + Run it, instead, as a user with a name, set via your httpd.conf file.</P +></LI +><LI +><P +> Ensure you have adequate access controls for $BUGZILLA_HOME/data/ and $BUGZILLA_HOME/localconfig. + The localconfig file stores your "bugs" user password, which would be terrible to have in the hands + of a criminal. Also some files under $BUGZILLA_HOME/data store sensitive information. + </P +><P +> On Apache, you can use .htaccess files to protect access to these directories, as outlined + in <A +HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161" +TARGET="_top" +>Bug 57161</A +> for the + localconfig file, and <A +HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572" +TARGET="_top" +> Bug 65572</A +> for adequate protection in your data/ and shadow/ directories. + </P +><P +> Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other + non-Apache web servers, please consult your system documentation for how to secure these + files from being transmitted to curious users. + </P +><P +> Place the following text into a file named ".htaccess", readable by your web server, + in your $BUGZILLA_HOME/data directory. + <P +CLASS="LITERALLAYOUT" +> <Files comments><br> + allow from all<br> + </Files><br> + deny from all<br> + </P +> + </P +><P +> Place the following text into a file named ".htaccess", readable by your web server, + in your $BUGZILLA_HOME/ directory. + <P +CLASS="LITERALLAYOUT" +> <Files localconfig><br> + deny from all<br> + </Files><br> + allow from all<br> + </P +> + </P +><P +> Place the following text into a file named ".htaccess", readable by your web server, + in your $BUGZILLA_HOME/shadow directory. + <P +CLASS="LITERALLAYOUT" +> deny from all<br> + </P +> + </P +></LI +><LI +><P +> + </P +></LI +></OL +> + </P +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="programadmin.html" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="index.html" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="using.html" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Product, Component, Milestone, and Version Administration</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="administration.html" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Using Bugzilla</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |