From 8ab64629d3a091a0ccb6af52c48ee7bb9fd8834d Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Fri, 4 Apr 2008 00:05:36 +0000 Subject: Bug 182975: Bugzilla directory structure to be adopted to l10n needs - Patch by A.A. Shimono (himorin) r=LpSolit r=mkanat a=LpSolit --- docs/en/xml/security.xml | 367 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 367 insertions(+) create mode 100644 docs/en/xml/security.xml (limited to 'docs/en/xml/security.xml') diff --git a/docs/en/xml/security.xml b/docs/en/xml/security.xml new file mode 100644 index 000000000..c0ac03d30 --- /dev/null +++ b/docs/en/xml/security.xml @@ -0,0 +1,367 @@ + + + + +Bugzilla Security + + While some of the items in this chapter are related to the operating + system Bugzilla is running on or some of the support software required to + run Bugzilla, it is all related to protecting your data. This is not + intended to be a comprehensive guide to securing Linux, Apache, MySQL, or + any other piece of software mentioned. There is no substitute for active + administration and monitoring of a machine. The key to good security is + actually right in the middle of the word: U R It. + + + While programmers in general always strive to write secure code, + accidents can and do happen. The best approach to security is to always + assume that the program you are working with isn't 100% secure and restrict + its access to other parts of your machine as much as possible. + + +
+ Operating System + +
+ TCP/IP Ports + + + The TCP/IP standard defines more than 65,000 ports for sending + and receiving traffic. Of those, Bugzilla needs exactly one to operate + (different configurations and options may require up to 3). You should + audit your server and make sure that you aren't listening on any ports + you don't need to be. It's also highly recommended that the server + Bugzilla resides on, along with any other machines you administer, be + placed behind some kind of firewall. + + +
+ +
+ System User Accounts + + Many daemons, such + as Apache's httpd or MySQL's + mysqld, run as either root or + nobody. This is even worse on Windows machines where the + majority of services + run as SYSTEM. While running as root or + SYSTEM introduces obvious security concerns, the + problems introduced by running everything as nobody may + not be so obvious. Basically, if you run every daemon as + nobody and one of them gets compromised it can + compromise every other daemon running as nobody on your + machine. For this reason, it is recommended that you create a user + account for each daemon. + + + + You will need to set the option + in localconfig to the group your web server runs + as. This will allow ./checksetup.pl to set file + permissions on Unix systems so that nothing is world-writable. + + + +
+ +
+ The <filename>chroot</filename> Jail + + + If your system supports it, you may wish to consider running + Bugzilla inside of a chroot jail. This option + provides unprecedented security by restricting anything running + inside the jail from accessing any information outside of it. If you + wish to use this option, please consult the documentation that came + with your system. + + +
+ +
+ + + +
+ MySQL + +
+ The MySQL System Account + + As mentioned in , the MySQL + daemon should run as a non-privileged, unique user. Be sure to consult + the MySQL documentation or the documentation that came with your system + for instructions. + +
+ +
+ The MySQL <quote>root</quote> and <quote>anonymous</quote> Users + + By default, MySQL comes with a root user with a + blank password and an anonymous user, also with a blank + password. In order to protect your data, the root user + should be given a password and the anonymous user should be disabled. + + + + Assigning the MySQL <quote>root</quote> User a Password + + +bash$ mysql mysql +mysql> UPDATE user SET password = password('new_password') WHERE user = 'root'; +mysql> FLUSH PRIVILEGES; + + + + + Disabling the MySQL <quote>anonymous</quote> User + +bash$ mysql -u root -p mysql +Enter Password: new_password +mysql> DELETE FROM user WHERE user = ''; +mysql> FLUSH PRIVILEGES; + + + + This command assumes that you have already completed + . + + + + + +
+ +
+ Network Access + + If MySQL and your web server both run on the same machine and you + have no other reason to access MySQL remotely, then you should disable + the network access. This, along with the suggestion in + , will help protect your system from + any remote vulnerabilities in MySQL. + + + + Disabling Networking in MySQL + + Simply enter the following in /etc/my.cnf: + +[mysqld] +# Prevent network access to MySQL. +skip-networking + + + + +
+ + + + +
+ + + +
+ Web server + +
+ Disabling Remote Access to Bugzilla Configuration Files + + + There are many files that are placed in the Bugzilla directory + area that should not be accessible from the web server. Because of the way + Bugzilla is currently layed out, the list of what should and should not + be accessible is rather complicated. A quick way is to run + testserver.pl to check if your web server serves + Bugzilla files as expected. If not, you may want to follow the few + steps below. + + + + Bugzilla ships with the ability to create + .htaccess + files that enforce these rules. Instructions for enabling these + directives in Apache can be found in + + + + + + In the main Bugzilla directory, you should: + + + Block: + + *.pl + *localconfig* + + + + + + + + In data: + + + Block everything + + + But allow: + + duplicates.rdf + + + + + + + + In data/webdot: + + + If you use a remote webdot server: + + + Block everything + + + But allow + + *.dot + + only for the remote webdot server + + + + + Otherwise, if you use a local GraphViz: + + + Block everything + + + But allow: + + *.png + *.gif + *.jpg + *.map + + + + + + + And if you don't use any dot: + + + Block everything + + + + + + + + In Bugzilla: + + + Block everything + + + + + + In template: + + + Block everything + + + + + + Be sure to test that data that should not be accessed remotely is + properly blocked. Of particular interest is the localconfig file which + contains your database password. Also, be aware that many editors + create temporary and backup files in the working directory and that + those should also not be accessible. For more information, see + bug 186383 + or + Bugtraq ID 6501. + To test, simply run testserver.pl, as said above. + + + + Be sure to check for instructions + specific to the web server you use. + + + +
+ + +
+ + +
+ Bugzilla + +
+ Prevent users injecting malicious Javascript + + If you installed Bugzilla version 2.22 or later from scratch, + then the utf8 parameter is switched on by default. + This makes Bugzilla explicitly set the character encoding, following + a + CERT advisory recommending exactly this. + The following therefore does not apply to you; just keep + utf8 turned on. + + + If you've upgraded from an older version, then it may be possible + for a Bugzilla user to take advantage of character set encoding + ambiguities to inject HTML into Bugzilla comments. + This could include malicious scripts. + This is because due to internationalization concerns, we are unable to + turn the utf8 parameter on by default for upgraded + installations. + Turning it on manually will prevent this problem. + +
+ +
+ + + + + -- cgit v1.2.3-24-g4f1b