diff options
Diffstat (limited to 'docs/html/security.html')
-rw-r--r-- | docs/html/security.html | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/html/security.html b/docs/html/security.html index 63e94f8cf..49a2d10a4 100644 --- a/docs/html/security.html +++ b/docs/html/security.html @@ -323,6 +323,45 @@ TARGET="_top" ></TABLE ></DIV ><P +> When you run checksetup.pl, the script will attempt to modify various + permissions on files which Bugzilla uses. If you do not have a + webservergroup set in the localconfig file, then Bugzilla will have to + make certain files world readable and/or writable. <EM +>THIS IS + INSECURE!</EM +>. This means that anyone who can get access to + your system can do whatever they want to your Bugzilla installation. + </P +><DIV +CLASS="note" +><P +></P +><TABLE +CLASS="note" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="../images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> This also means that if your webserver runs all cgi scripts as the + same user/group, anyone on the system who can run cgi scripts will + be able to take control of your Bugzilla installation. + </P +></TD +></TR +></TABLE +></DIV +><P > On Apache, you can use .htaccess files to protect access to these directories, as outlined in <A HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161" |