summaryrefslogtreecommitdiffstats
path: root/docs/xml/installation.xml
diff options
context:
space:
mode:
authorjake%bugzilla.org <>2004-12-02 13:21:27 +0100
committerjake%bugzilla.org <>2004-12-02 13:21:27 +0100
commitd8070af6b6a6ede39a318965f1c1303768e2a9db (patch)
treefe0201127f00d0b2bd1fd1c1af7c3ed75a5e3cb0 /docs/xml/installation.xml
parent5a2b693c8cfcdb188eeaff860094d073149c3603 (diff)
downloadbugzilla-d8070af6b6a6ede39a318965f1c1303768e2a9db.tar.gz
bugzilla-d8070af6b6a6ede39a318965f1c1303768e2a9db.tar.xz
Reinstate the seperate security section as a chapter.
Diffstat (limited to 'docs/xml/installation.xml')
-rw-r--r--docs/xml/installation.xml284
1 files changed, 15 insertions, 269 deletions
diff --git a/docs/xml/installation.xml b/docs/xml/installation.xml
index 9c60535a1..0f06b4735 100644
--- a/docs/xml/installation.xml
+++ b/docs/xml/installation.xml
@@ -1,5 +1,5 @@
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: installation.xml,v 1.81 2004/11/25 08:50:59 jocuri%softhome.net Exp $ -->
+<!-- $Id: installation.xml,v 1.82 2004/12/02 04:21:27 jake%bugzilla.org Exp $ -->
<chapter id="installing-bugzilla">
<title>Installing Bugzilla</title>
@@ -520,7 +520,8 @@
<para>Poorly-configured MySQL and Bugzilla installations have
given attackers full access to systems in the past. Please take the
security parts of these guidelines seriously, even for Bugzilla
- machines hidden away behind your firewall.</para>
+ machines hidden away behind your firewall. Be certain to read
+ <xref linkend="security"/> for some important security tips.</para>
</warning>
<section id="localconfig">
@@ -560,70 +561,13 @@
<section id="mysql">
<title>MySQL</title>
- <section id="security-mysql">
- <title>Security</title>
-
- <para>MySQL ships as insecure by default.
- It allows anybody to on the local machine full administrative
- capabilities without requiring a password; the special
- MySQL root account (note: this is <emphasis>not</emphasis> the same as
- the system root) also has no password.
- Also, many installations default to running
- <application>mysqld</application> as the system root.
+ <caution>
+ <para>MySQL's default configuration is very insecure.
+ <xref linkend="security-mysql"/> has some good information for
+ improving your installation's security.
</para>
-
- <orderedlist>
- <listitem>
- <para>To disable the anonymous user account
- and set a password for the root user, execute the following. The
- root user password should be different to the bugs user password
- you set in
- <filename>localconfig</filename> in the previous section,
- and also different to
- the password for the system root account on your machine.
- </para>
- <screen> <prompt>bash$</prompt> mysql mysql
- <prompt>mysql&gt;</prompt> DELETE FROM user WHERE user = '';
- <prompt>mysql&gt;</prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
- <prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;</screen>
-
- <para>From this point forward, to run the
- <filename>mysql</filename> command-line client,
- you will need to type
- <command>mysql -u root -p</command> and enter
- <replaceable>new_password</replaceable> when prompted.
- </para>
- </listitem>
-
- <listitem>
- <para>If you run MySQL on the same machine as your web server, you
- should disable remote access to MySQL by adding
- the following to your <filename>/etc/my.cnf</filename>:
- </para>
- <programlisting> [myslqd]
- # Prevent network access to MySQL.
- skip-networking</programlisting>
- </listitem>
-
- <listitem>
- <para>Consult the documentation that came with your system for
- information on making <application>mysqld</application> run as an
- unprivileged user.
- </para>
- </listitem>
-
- <listitem>
- <para>For added security, you could also run MySQL, or even all
- of Bugzilla
- in a chroot jail; however, instructions for doing that are beyond
- the scope of this document.
- </para>
- </listitem>
-
- </orderedlist>
-
- </section>
-
+ </caution>
+
<section id="install-setupdatabase">
<title>Allow large attachments</title>
@@ -765,7 +709,10 @@
<section id="http">
<title>Web server</title>
<para>Configure your web server according to the instructions in the
- appropriate section. The Bugzilla Team recommends Apache.
+ appropriate section. The Bugzilla Team recommends Apache. No matter
+ what webserver you choose, make sure that sensitive information is
+ not remotely available by ensuring that the access controls in
+ <xref linkend="security-webserver-access"/> are properly applied.
</para>
<section id="http-apache">
@@ -825,7 +772,7 @@
<para>Also, and this can't be stressed enough, make sure that files such as
<filename>localconfig</filename> and your <filename class="directory">data</filename>
- directory are secured as described in <xref linkend="security-access"/>.
+ directory are secured as described in <xref linkend="security-webserver-access"/>.
</para>
</section>
@@ -893,137 +840,6 @@
</note>
</section>
- <section id="security-access">
- <title>Web Server Access Controls</title>
-
- <para>Users of Apache can skip this section because
- Bugzilla ships with <filename>.htaccess</filename> files which
- restrict access in the manner required.
- Users of other webservers, read on.
- </para>
-
- <para>There are several files in the Bugzilla directory
- that should not be accessible from the web. You need to configure
- your webserver so they they aren't. Not doing this may reveal
- sensitive information such as database passwords.
- </para>
-
- <itemizedlist spacing="compact">
- <listitem>
- <para>In the main Bugzilla directory, you should:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block:
- <simplelist type="inline">
- <member><filename>*.pl</filename></member>
- <member><filename>*localconfig*</filename></member>
- <member><filename>runtests.sh</filename></member>
- </simplelist>
- </para>
- </listitem>
- <listitem>
- <para>But allow:
- <simplelist type="inline">
- <member><filename>localconfig.js</filename></member>
- <member><filename>localconfig.rdf</filename></member>
- </simplelist>
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
-
- <listitem>
- <para>In <filename class="directory">data</filename>:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block everything</para>
- </listitem>
- <listitem>
- <para>But allow:
- <simplelist type="inline">
- <member><filename>duplicates.rdf</filename></member>
- </simplelist>
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
-
- <listitem>
- <para>In <filename class="directory">data/webdot</filename>:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>If you use a remote webdot server:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block everything</para>
- </listitem>
- <listitem>
- <para>But allow
- <simplelist type="inline">
- <member><filename>*.dot</filename></member>
- </simplelist>
- only for the remote webdot server</para>
- </listitem>
- </itemizedlist>
- </listitem>
- <listitem>
- <para>Otherwise, if you use a local GraphViz:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block everything</para>
- </listitem>
- <listitem>
- <para>But allow:
- <simplelist type="inline">
- <member><filename>*.png</filename></member>
- <member><filename>*.gif</filename></member>
- <member><filename>*.jpg</filename></member>
- <member><filename>*.map</filename></member>
- </simplelist>
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- <listitem>
- <para>And if you don't use any dot:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block everything</para>
- </listitem>
- </itemizedlist>
- </listitem>
- </itemizedlist>
- </listitem>
-
- <listitem>
- <para>In <filename class="directory">Bugzilla</filename>:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block everything</para>
- </listitem>
- </itemizedlist>
- </listitem>
-
- <listitem>
- <para>In <filename class="directory">template</filename>:</para>
- <itemizedlist spacing="compact">
- <listitem>
- <para>Block everything</para>
- </listitem>
- </itemizedlist>
- </listitem>
- </itemizedlist>
-
- <para>You should test to make sure that the files mentioned above are
- not accessible from the Internet, especially your
- <filename>localconfig</filename> file which contains your database
- password. To test, simply point your web browser at the file; for
- example, to test mozilla.org's installation, we'd try to access
- <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should
- get a <errorcode>403</errorcode> <errorname>Forbidden</errorname>
- error.
- </para>
- </section>
</section>
@@ -1310,75 +1126,6 @@
</section>
- <section id="content-type">
-
- <title>Prevent users injecting malicious
- Javascript</title>
-
- <para>It is possible for a Bugzilla user to take advantage of character
- set encoding ambiguities to inject HTML into Bugzilla comments. This
- could include malicious scripts.
- Due to internationalization concerns, we are unable to
- incorporate by default the code changes suggested by
- <ulink
- url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">
- the CERT advisory</ulink> on this issue.
- If your installation is for an English speaking audience only, making the
- change below will prevent this problem.
- </para>
-
- <para>Simply locate the following line in
- <filename>Bugzilla/CGI.pm</filename>:
- <programlisting>$self->charset('');</programlisting>
- and change it to:
- <programlisting>$self->charset('ISO-8859-1');</programlisting>
- </para>
- </section>
-
- <section id="mod-throttle"
- xreflabel="Using mod_throttle to prevent Denial of Service attacks">
- <title>
- <filename>mod_throttle</filename></title>
-
- <para>It is possible for a user, by mistake or on purpose, to access
- the database many times in a row which can result in very slow access
- speeds for other users. If your Bugzilla installation is experiencing
- this problem, you may install the Apache module
- <filename>mod_throttle</filename>
- which can limit connections by IP address. You may download this module
- at
- <ulink url="http://www.snert.com/Software/mod_throttle/"/>.
- Follow the instructions to install into your Apache install.
- <emphasis>This module only functions with the Apache web
- server!</emphasis>
- The command you need is
- <command>ThrottleClientIP</command>. See the
- <ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink>
- for more information.</para>
- </section>
-
- <section id="security-networking">
- <title>TCP/IP Ports</title>
-
- <para>A single-box Bugzilla only requires port 80, plus port 25 if
- you are using the optional email interface. You should firewall all
- other ports and/or disable services listening on them.
- </para>
- </section>
-
- <section id="security-daemon">
- <title>Daemon Accounts</title>
-
- <para>Many daemons, such as Apache's httpd and MySQL's mysqld default to
- running as either <quote>root</quote> or <quote>nobody</quote>. Running
- as <quote>root</quote> introduces obvious security problems, but the
- problems introduced by running everything as <quote>nobody</quote> may
- not be so obvious. Basically, if you're running every daemon as
- <quote>nobody</quote> and one of them gets compromised, they all get
- compromised. For this reason it is recommended that you create a user
- account for each daemon.
- </para>
- </section>
<section id="apache-addtype">
<title>Serving Alternate Formats with the right MIME type</title>
@@ -1532,7 +1279,7 @@ $smtp->quit;
<para>As is the case on Unix based systems, any web server should be
able to handle Bugzilla; however, the Bugzilla Team still recommends
Apache whenever asked. No matter what web server you choose, be sure
- to pay attention to the security notes in <xref linkend="security-access"/>.
+ to pay attention to the security notes in <xref linkend="security-webserver-access"/>.
More information on configuring specific web servers can be found in
<xref linkend="http"/>.
</para>
@@ -2205,4 +1952,3 @@ sgml-shorttag:t
sgml-tag-region-if-active:t
End:
-->
-
generated by cgit v1.2.3-24-g4f1b (git 2.32.0) at 2024-05-10 01:47:37 +0200