summaryrefslogtreecommitdiffstats
path: root/docs/html/security.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/html/security.html')
-rw-r--r--docs/html/security.html299
1 files changed, 299 insertions, 0 deletions
diff --git a/docs/html/security.html b/docs/html/security.html
new file mode 100644
index 000000000..5f04fed98
--- /dev/null
+++ b/docs/html/security.html
@@ -0,0 +1,299 @@
+<HTML
+><HEAD
+><TITLE
+>Bugzilla Security</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"><LINK
+REL="HOME"
+TITLE="The Bugzilla Guide"
+HREF="index.html"><LINK
+REL="UP"
+TITLE="Administering Bugzilla"
+HREF="administration.html"><LINK
+REL="PREVIOUS"
+TITLE="Product, Component, Milestone, and Version Administration"
+HREF="programadmin.html"><LINK
+REL="NEXT"
+TITLE="Using Bugzilla"
+HREF="using.html"></HEAD
+><BODY
+CLASS="SECTION"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>The Bugzilla Guide</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="programadmin.html"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Chapter 3. Administering Bugzilla</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="using.html"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECTION"
+><H1
+CLASS="SECTION"
+><A
+NAME="SECURITY"
+>3.4. Bugzilla Security</A
+></H1
+><TABLE
+BORDER="0"
+WIDTH="100%"
+CELLSPACING="0"
+CELLPADDING="0"
+CLASS="EPIGRAPH"
+><TR
+><TD
+WIDTH="45%"
+>&nbsp;</TD
+><TD
+WIDTH="45%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><I
+><P
+><I
+>Putting your money in a wall safe is better protection than depending on the fact that
+ no one knows that you hide your money in a mayonnaise jar in your fridge.</I
+></P
+></I
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+> Poorly-configured MySQL, Bugzilla, and FTP installations have given attackers full
+ access to systems in the past. Please take these guidelines seriously, even
+ for Bugzilla machines hidden away behind your firewall. 80% of all computer
+ trespassers are insiders, not anonymous crackers.
+ </P
+></BLOCKQUOTE
+></DIV
+><P
+> First thing's first: Secure your installation.
+ <DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+> These instructions must, of necessity, be somewhat vague since Bugzilla runs on so many different
+ platforms. If you have refinements of these directions for specific platforms, please
+ submit them to <A
+HREF="mailto://mozilla-webtools@mozilla.org"
+TARGET="_top"
+>mozilla-webtools@mozilla.org</A
+>
+ </P
+></BLOCKQUOTE
+></DIV
+>
+ <P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> Ensure you are running at least MysQL version 3.22.32 or newer. Earlier versions had
+ notable security holes and poorly secured default configuration choices.
+ </P
+></LI
+><LI
+><P
+><EM
+>There is no substitute for understanding the tools on your system!</EM
+>
+ Read <A
+HREF="http://www.mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html"
+TARGET="_top"
+> The MySQL Privelege System</A
+> until you can recite it from memory!</P
+><P
+> At the very least, ensure you password the "mysql -u root" account and the "bugs" account, establish grant
+ table rights (consult the Keystone guide in Appendix C: The Bugzilla Database for some easy-to-use details)
+ that do not allow CREATE, DROP, RELOAD, SHUTDOWN, and PROCESS for user "bugs". I wrote up the Keystone
+ advice back when I knew far less about security than I do now : )
+ </P
+></LI
+><LI
+><P
+> Lock down /etc/inetd.conf. Heck, disable inet entirely on this box. It should only listen to
+ port 25 for Sendmail
+ and port 80 for Apache.
+ </P
+></LI
+><LI
+><P
+>Do not run Apache as "nobody". This will require very lax permissions in your Bugzilla directories.
+ Run it, instead, as a user with a name, set via your httpd.conf file.</P
+></LI
+><LI
+><P
+> Ensure you have adequate access controls for $BUGZILLA_HOME/data/ and $BUGZILLA_HOME/localconfig.
+ The localconfig file stores your "bugs" user password, which would be terrible to have in the hands
+ of a criminal. Also some files under $BUGZILLA_HOME/data store sensitive information.
+ </P
+><P
+> On Apache, you can use .htaccess files to protect access to these directories, as outlined
+ in <A
+HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161"
+TARGET="_top"
+>Bug 57161</A
+> for the
+ localconfig file, and <A
+HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"
+TARGET="_top"
+> Bug 65572</A
+> for adequate protection in your data/ and shadow/ directories.
+ </P
+><P
+> Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other
+ non-Apache web servers, please consult your system documentation for how to secure these
+ files from being transmitted to curious users.
+ </P
+><P
+> Place the following text into a file named ".htaccess", readable by your web server,
+ in your $BUGZILLA_HOME/data directory.
+ <P
+CLASS="LITERALLAYOUT"
+> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#60;Files&nbsp;comments&#62;<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;allow&nbsp;from&nbsp;all<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#60;/Files&#62;<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;deny&nbsp;from&nbsp;all<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;</P
+>
+ </P
+><P
+> Place the following text into a file named ".htaccess", readable by your web server,
+ in your $BUGZILLA_HOME/ directory.
+ <P
+CLASS="LITERALLAYOUT"
+> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#60;Files&nbsp;localconfig&#62;<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;deny&nbsp;from&nbsp;all<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#60;/Files&#62;<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;allow&nbsp;from&nbsp;all<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;</P
+>
+ </P
+><P
+> Place the following text into a file named ".htaccess", readable by your web server,
+ in your $BUGZILLA_HOME/shadow directory.
+ <P
+CLASS="LITERALLAYOUT"
+> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;deny&nbsp;from&nbsp;all<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;</P
+>
+ </P
+></LI
+><LI
+><P
+>
+ </P
+></LI
+></OL
+>
+ </P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="programadmin.html"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="using.html"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Product, Component, Milestone, and Version Administration</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="administration.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Using Bugzilla</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file