diff options
Diffstat (limited to 'docs/html/security.html')
| -rw-r--r-- | docs/html/security.html | 175 |
1 files changed, 38 insertions, 137 deletions
diff --git a/docs/html/security.html b/docs/html/security.html index c3fa07499..4bf56506e 100644 --- a/docs/html/security.html +++ b/docs/html/security.html @@ -4,19 +4,21 @@ >Bugzilla Security</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" -TITLE="The Bugzilla Guide - 2.17.5 Development Release" +TITLE="The Bugzilla Guide - 2.17.5 + Development Release" HREF="index.html"><LINK REL="UP" -TITLE="Administering Bugzilla" -HREF="administration.html"><LINK +TITLE="Installation" +HREF="installation.html"><LINK REL="PREVIOUS" -TITLE="Groups and Group Security" -HREF="groups.html"><LINK +TITLE="OS Specific Installation Notes" +HREF="os-specific.html"><LINK REL="NEXT" -TITLE="Template Customization" -HREF="cust-templates.html"></HEAD +TITLE="Troubleshooting" +HREF="troubleshooting.html"></HEAD ><BODY CLASS="section" BGCOLOR="#FFFFFF" @@ -36,7 +38,8 @@ CELLSPACING="0" ><TH COLSPAN="3" ALIGN="center" ->The Bugzilla Guide - 2.17.5 Development Release</TH +>The Bugzilla Guide - 2.17.5 + Development Release</TH ></TR ><TR ><TD @@ -44,7 +47,7 @@ WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A -HREF="groups.html" +HREF="os-specific.html" ACCESSKEY="P" >Prev</A ></TD @@ -52,13 +55,13 @@ ACCESSKEY="P" WIDTH="80%" ALIGN="center" VALIGN="bottom" ->Chapter 5. Administering Bugzilla</TD +>Chapter 4. Installation</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A -HREF="cust-templates.html" +HREF="troubleshooting.html" ACCESSKEY="N" >Next</A ></TD @@ -74,7 +77,7 @@ CLASS="section" ><A NAME="security" ></A ->5.6. Bugzilla Security</H1 +>4.5. Bugzilla Security</H1 ><DIV CLASS="warning" ><P @@ -101,66 +104,10 @@ VALIGN="TOP" guidelines seriously, even for Bugzilla machines hidden away behind your firewall. 80% of all computer trespassers are insiders, not anonymous crackers.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="note" -><P -></P -><TABLE -CLASS="note" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="../images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->These instructions must, of necessity, be somewhat vague since - Bugzilla runs on so many different platforms. If you have refinements - of these directions, please submit a bug to <A -HREF="http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&component=Documentation" -TARGET="_top" ->Bugzilla Documentation</A ->. - </P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="warning" -><P -></P -><TABLE -CLASS="warning" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="../images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" ><P >This is not meant to be a comprehensive list of every possible - security issue regarding the tools mentioned in this section. There is + security issue pertaining to the software mentioned in this section. + There is no subsitute for reading the information written by the authors of any software running on your system. </P @@ -175,10 +122,10 @@ CLASS="section" ><A NAME="security-networking" ></A ->5.6.1. TCP/IP Ports</H2 +>4.5.1. TCP/IP Ports</H2 ><P >TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla - only needs 1... 2 if you need to use features that require e-mail such + only needs 1, or 2 if you need to use features that require e-mail such as bug moving or the e-mail interface from contrib. You should audit your server and make sure that you aren't listening on any ports you don't need to be. You may also wish to use some kind of firewall @@ -193,7 +140,7 @@ CLASS="section" ><A NAME="security-mysql" ></A ->5.6.2. MySQL</H2 +>4.5.2. MySQL</H2 ><P >MySQL ships by default with many settings that should be changed. By defaults it allows anybody to connect from localhost without a @@ -322,7 +269,7 @@ CLASS="section" ><A NAME="security-daemon" ></A ->5.6.3. Daemon Accounts</H2 +>4.5.3. Daemon Accounts</H2 ><P >Many daemons, such as Apache's httpd and MySQL's mysqld default to running as either <SPAN @@ -344,8 +291,8 @@ CLASS="QUOTE" <SPAN CLASS="QUOTE" >"nobody"</SPAN -> and one of them gets comprimised, they all get - comprimised. For this reason it is recommended that you create a user +> and one of them gets compromised, they all get + compromised. For this reason it is recommended that you create a user account for each daemon. </P ><DIV @@ -397,20 +344,17 @@ CLASS="section" ><A NAME="security-access" ></A ->5.6.4. Web Server Access Controls</H2 +>4.5.4. Web Server Access Controls</H2 ><P >There are many files that are placed in the Bugzilla directory area that should not be accessable from the web. Because of the way - Bugzilla is currently layed out, the list of what should and should - not be accessible is rather complicated. A new installation method - is currently in the works which should solve this by allowing files - that shouldn't be accessible from the web to be placed in directory - outside the webroot. See - <A -HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=44659" -TARGET="_top" -> bug 44659</A -> for more information. + Bugzilla is currently laid out, the list of what should and should + not be accessible is rather complicated. + </P +><P +>Users of Apache don't need to worry about this, however, because + Bugzilla ships with .htaccess files which restrict access to all the + sensitive files in this section. Users of other webservers, read on. </P ><P ></P @@ -588,49 +532,6 @@ COMPACT="COMPACT" ></UL ></LI ></UL -><DIV -CLASS="tip" -><P -></P -><TABLE -CLASS="tip" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="../images/tip.gif" -HSPACE="5" -ALT="Tip"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Bugzilla ships with the ability to generate - <TT -CLASS="filename" ->.htaccess</TT -> files instructing - <A -HREF="glossary.html#gloss-apache" -><I -CLASS="glossterm" ->Apache</I -></A -> which files - should and should not be accessible. For more information, see - <A -HREF="http.html#http-apache" ->Section 4.4.1</A ->. - </P -></TD -></TR -></TABLE -></DIV ><P >You should test to make sure that the files mentioned above are not accessible from the Internet, especially your @@ -706,7 +607,7 @@ VALIGN="TOP" ><P >You should check <A HREF="http.html" ->Section 4.4</A +>Section 4.2</A > to see if instructions have been included for your web server. You should also compare those instructions with this list to make sure everything is properly @@ -734,7 +635,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" ><A -HREF="groups.html" +HREF="os-specific.html" ACCESSKEY="P" >Prev</A ></TD @@ -752,7 +653,7 @@ WIDTH="33%" ALIGN="right" VALIGN="top" ><A -HREF="cust-templates.html" +HREF="troubleshooting.html" ACCESSKEY="N" >Next</A ></TD @@ -762,13 +663,13 @@ ACCESSKEY="N" WIDTH="33%" ALIGN="left" VALIGN="top" ->Groups and Group Security</TD +>OS Specific Installation Notes</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A -HREF="administration.html" +HREF="installation.html" ACCESSKEY="U" >Up</A ></TD @@ -776,7 +677,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Template Customization</TD +>Troubleshooting</TD ></TR ></TABLE ></DIV |