summaryrefslogtreecommitdiffstats
path: root/docs/en/xml/administration.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/en/xml/administration.xml')
-rw-r--r--docs/en/xml/administration.xml33
1 files changed, 30 insertions, 3 deletions
diff --git a/docs/en/xml/administration.xml b/docs/en/xml/administration.xml
index c52cacebf..8ca600c54 100644
--- a/docs/en/xml/administration.xml
+++ b/docs/en/xml/administration.xml
@@ -1048,12 +1048,39 @@ operating parameters for bugzilla.</PARA>
</LISTITEM>
<LISTITEM>
<PARA>
- Ensure you have adequate access controls for $BUGZILLA_HOME/data/, $BUGZILLA_HOME/localconfig,
- and $BUGZILLA_HOME/shadow directories.
+ Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and
+ $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and
+ $BUGZILLA_HOME/globals.pl files.
The localconfig file stores your "bugs" user password,
which would be terrible to have in the hands
- of a criminal. Also some files under $BUGZILLA_HOME/data store sensitive information.
+ of a criminal, while the "globals.pl" stores some default information regarding your
+ installation which could aid a system cracker.
+ In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and
+ $BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure
+ these directories and this file, you will expose bug information to those who may not
+ be allowed to see it.
</PARA>
+ <NOTE>
+ <PARA>
+ Bugzilla provides default .htaccess files to protect the most common Apache
+ installations. However, you should verify these are adequate according to the site-wide
+ security policy of your web server, and ensure that the .htaccess files are
+ allowed to "override" default permissions set in your Apache configuration files.
+ Covering Apache security is beyond the scope of this Guide; please consult the Apache
+ documentation for details.
+ </PARA>
+ <PARA>
+ If you are using a web server that does not support the .htaccess control method,
+ <EMPHASIS>you are at risk!</EMPHASIS> After installing, check to see if you can
+ view the file "localconfig" in your web browser (ergo:
+ <ULINK URL="http://bugzilla.mozilla.org/localconfig">
+ http://bugzilla.mozilla.org/localconfig</ULINK>. If you can read the contents of this
+ file, your web server has not secured your bugzilla directory properly and you
+ must fix this problem before deploying Bugzilla. If, however, it gives you a
+ "Forbidden" error, then it probably respects the .htaccess conventions and you
+ are good to go.
+ </PARA>
+ </NOTE>
<PARA>
On Apache, you can use .htaccess files to protect access to these directories, as outlined
in <ULINK URL="http://bugzilla.mozilla.org/show_bug.cgi?id=57161">Bug 57161</ULINK> for the
generated by cgit v1.2.3-24-g4f1b (git 2.32.0) at 2024-07-15 04:59:38 +0200