diff options
Diffstat (limited to 'docs/en/xml/security.xml')
-rw-r--r-- | docs/en/xml/security.xml | 367 |
1 files changed, 367 insertions, 0 deletions
diff --git a/docs/en/xml/security.xml b/docs/en/xml/security.xml new file mode 100644 index 000000000..c0ac03d30 --- /dev/null +++ b/docs/en/xml/security.xml @@ -0,0 +1,367 @@ +<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> +<!-- $Id: security.xml,v 1.1 2008/04/03 19:05:43 lpsolit%gmail.com Exp $ --> + +<chapter id="security"> +<title>Bugzilla Security</title> + + <para>While some of the items in this chapter are related to the operating + system Bugzilla is running on or some of the support software required to + run Bugzilla, it is all related to protecting your data. This is not + intended to be a comprehensive guide to securing Linux, Apache, MySQL, or + any other piece of software mentioned. There is no substitute for active + administration and monitoring of a machine. The key to good security is + actually right in the middle of the word: <emphasis>U R It</emphasis>. + </para> + + <para>While programmers in general always strive to write secure code, + accidents can and do happen. The best approach to security is to always + assume that the program you are working with isn't 100% secure and restrict + its access to other parts of your machine as much as possible. + </para> + + <section id="security-os"> + <title>Operating System</title> + + <section id="security-os-ports"> + <title>TCP/IP Ports</title> + + <!-- TODO: Get exact number of ports --> + <para>The TCP/IP standard defines more than 65,000 ports for sending + and receiving traffic. Of those, Bugzilla needs exactly one to operate + (different configurations and options may require up to 3). You should + audit your server and make sure that you aren't listening on any ports + you don't need to be. It's also highly recommended that the server + Bugzilla resides on, along with any other machines you administer, be + placed behind some kind of firewall. + </para> + + </section> + + <section id="security-os-accounts"> + <title>System User Accounts</title> + + <para>Many <glossterm linkend="gloss-daemon">daemons</glossterm>, such + as Apache's <filename>httpd</filename> or MySQL's + <filename>mysqld</filename>, run as either <quote>root</quote> or + <quote>nobody</quote>. This is even worse on Windows machines where the + majority of <glossterm linkend="gloss-service">services</glossterm> + run as <quote>SYSTEM</quote>. While running as <quote>root</quote> or + <quote>SYSTEM</quote> introduces obvious security concerns, the + problems introduced by running everything as <quote>nobody</quote> may + not be so obvious. Basically, if you run every daemon as + <quote>nobody</quote> and one of them gets compromised it can + compromise every other daemon running as <quote>nobody</quote> on your + machine. For this reason, it is recommended that you create a user + account for each daemon. + </para> + + <note> + <para>You will need to set the <option>webservergroup</option> option + in <filename>localconfig</filename> to the group your web server runs + as. This will allow <filename>./checksetup.pl</filename> to set file + permissions on Unix systems so that nothing is world-writable. + </para> + </note> + + </section> + + <section id="security-os-chroot"> + <title>The <filename>chroot</filename> Jail</title> + + <para> + If your system supports it, you may wish to consider running + Bugzilla inside of a <filename>chroot</filename> jail. This option + provides unprecedented security by restricting anything running + inside the jail from accessing any information outside of it. If you + wish to use this option, please consult the documentation that came + with your system. + </para> + + </section> + + </section> + + + + <section id="security-mysql"> + <title>MySQL</title> + + <section id="security-mysql-account"> + <title>The MySQL System Account</title> + + <para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL + daemon should run as a non-privileged, unique user. Be sure to consult + the MySQL documentation or the documentation that came with your system + for instructions. + </para> + </section> + + <section id="security-mysql-root"> + <title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title> + + <para>By default, MySQL comes with a <quote>root</quote> user with a + blank password and an <quote>anonymous</quote> user, also with a blank + password. In order to protect your data, the <quote>root</quote> user + should be given a password and the anonymous user should be disabled. + </para> + + <example id="security-mysql-account-root"> + <title>Assigning the MySQL <quote>root</quote> User a Password</title> + + <screen> +<prompt>bash$</prompt> mysql mysql +<prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root'; +<prompt>mysql></prompt> FLUSH PRIVILEGES; + </screen> + </example> + + <example id="security-mysql-account-anonymous"> + <title>Disabling the MySQL <quote>anonymous</quote> User</title> + <screen> +<prompt>bash$</prompt> mysql -u root -p mysql <co id="security-mysql-account-anonymous-mysql"/> +<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable> +<prompt>mysql></prompt> DELETE FROM user WHERE user = ''; +<prompt>mysql></prompt> FLUSH PRIVILEGES; + </screen> + <calloutlist> + <callout arearefs="security-mysql-account-anonymous-mysql"> + <para>This command assumes that you have already completed + <xref linkend="security-mysql-account-root"/>. + </para> + </callout> + </calloutlist> + </example> + + </section> + + <section id="security-mysql-network"> + <title>Network Access</title> + + <para>If MySQL and your web server both run on the same machine and you + have no other reason to access MySQL remotely, then you should disable + the network access. This, along with the suggestion in + <xref linkend="security-os-ports"/>, will help protect your system from + any remote vulnerabilities in MySQL. + </para> + + <example id="security-mysql-network-ex"> + <title>Disabling Networking in MySQL</title> + + <para>Simply enter the following in <filename>/etc/my.cnf</filename>: + <screen> +[mysqld] +# Prevent network access to MySQL. +skip-networking + </screen> + </para> + </example> + + </section> + + +<!-- For possible addition in the future: How to better control the bugs user + <section id="security-mysql-bugs"> + <title>The bugs User</title> + + </section> +--> + + </section> + + + + <section id="security-webserver"> + <title>Web server</title> + + <section id="security-webserver-access"> + <title>Disabling Remote Access to Bugzilla Configuration Files</title> + + <para> + There are many files that are placed in the Bugzilla directory + area that should not be accessible from the web server. Because of the way + Bugzilla is currently layed out, the list of what should and should not + be accessible is rather complicated. A quick way is to run + <filename>testserver.pl</filename> to check if your web server serves + Bugzilla files as expected. If not, you may want to follow the few + steps below. + </para> + + <tip> + <para>Bugzilla ships with the ability to create + <glossterm linkend="gloss-htaccess"><filename>.htaccess</filename></glossterm> + files that enforce these rules. Instructions for enabling these + directives in Apache can be found in <xref linkend="http-apache"/> + </para> + </tip> + + <itemizedlist spacing="compact"> + <listitem> + <para>In the main Bugzilla directory, you should:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block: + <simplelist type="inline"> + <member><filename>*.pl</filename></member> + <member><filename>*localconfig*</filename></member> + </simplelist> + </para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">data</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + <listitem> + <para>But allow: + <simplelist type="inline"> + <member><filename>duplicates.rdf</filename></member> + </simplelist> + </para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">data/webdot</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>If you use a remote webdot server:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + <listitem> + <para>But allow + <simplelist type="inline"> + <member><filename>*.dot</filename></member> + </simplelist> + only for the remote webdot server</para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para>Otherwise, if you use a local GraphViz:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + <listitem> + <para>But allow: + <simplelist type="inline"> + <member><filename>*.png</filename></member> + <member><filename>*.gif</filename></member> + <member><filename>*.jpg</filename></member> + <member><filename>*.map</filename></member> + </simplelist> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para>And if you don't use any dot:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">Bugzilla</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">template</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + + <para>Be sure to test that data that should not be accessed remotely is + properly blocked. Of particular interest is the localconfig file which + contains your database password. Also, be aware that many editors + create temporary and backup files in the working directory and that + those should also not be accessible. For more information, see + <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=186383">bug 186383</ulink> + or + <ulink url="http://online.securityfocus.com/bid/6501">Bugtraq ID 6501</ulink>. + To test, simply run <filename>testserver.pl</filename>, as said above. + </para> + + <tip> + <para>Be sure to check <xref linkend="http"/> for instructions + specific to the web server you use. + </para> + </tip> + + </section> + + + </section> + + + <section id="security-bugzilla"> + <title>Bugzilla</title> + + <section id="security-bugzilla-charset"> + <title>Prevent users injecting malicious Javascript</title> + + <para>If you installed Bugzilla version 2.22 or later from scratch, + then the <emphasis>utf8</emphasis> parameter is switched on by default. + This makes Bugzilla explicitly set the character encoding, following + <ulink + url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a + CERT advisory</ulink> recommending exactly this. + The following therefore does not apply to you; just keep + <emphasis>utf8</emphasis> turned on. + </para> + + <para>If you've upgraded from an older version, then it may be possible + for a Bugzilla user to take advantage of character set encoding + ambiguities to inject HTML into Bugzilla comments. + This could include malicious scripts. + This is because due to internationalization concerns, we are unable to + turn the <emphasis>utf8</emphasis> parameter on by default for upgraded + installations. + Turning it on manually will prevent this problem. + </para> + </section> + + </section> + +</chapter> + +<!-- Keep this comment at the end of the file +Local variables: +mode: sgml +sgml-always-quote-attributes:t +sgml-auto-insert-required-elements:t +sgml-balanced-tag-edit:t +sgml-exposed-tags:nil +sgml-general-insert-case:lower +sgml-indent-data:t +sgml-indent-step:2 +sgml-local-catalogs:nil +sgml-local-ecat-files:nil +sgml-minimize-attributes:nil +sgml-namecase-general:t +sgml-omittag:t +sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter") +sgml-shorttag:t +sgml-tag-region-if-active:t +End: --> + |