From 57aa101cf330193c1e4f1f057ed0c62a0e988c66 Mon Sep 17 00:00:00 2001 From: "jake%bugzilla.org" <> Date: Fri, 4 Apr 2008 11:47:12 +0000 Subject: Reinstate the seperate security section as a chapter. --- docs/en/xml/Bugzilla-Guide.xml | 171 ++++++++++++--------- docs/en/xml/glossary.xml | 336 ++++++++++++++++++++++++++++++----------- docs/en/xml/installation.xml | 284 ++-------------------------------- 3 files changed, 368 insertions(+), 423 deletions(-) (limited to 'docs/en/xml') diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index bd0b3a4a1..d12f6a817 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -1,55 +1,93 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - -Bugzilla"> +Bugzilla Documentation"> - + + + + + + + + + + + + + + + + + + + + + + + + ]> @@ -58,35 +96,31 @@ try to avoid clutter and feel free to waste space in the code to make it more re - The Bugzilla Guide + The Bugzilla Guide - &bz-ver; + <![%bz-devel;[Development ]]>Release - - - Matthew - P. - Barnson - -
mbarnson@sisna.com
- - + The Bugzilla Team + &bz-date; + - This is the documentation for Bugzilla, the mozilla.org - bug-tracking system. - Bugzilla is an enterprise-class piece of software - that powers issue-tracking for hundreds of - organizations around the world, tracking millions of bugs. + This is the documentation for Bugzilla, a + bug-tracking system from mozilla.org. + Bugzilla is an enterprise-class piece of software + that tracks millions of bugs and issues for hundreds of + organizations around the world. + - This documentation is maintained in DocBook 4.1.2 XML format. - Changes are best submitted as plain text or SGML diffs, attached - to a Bugzilla bug. + The most current version of this document can always be found on the + Bugzilla + Documentation Page. - + Bugzilla @@ -104,34 +138,31 @@ try to avoid clutter and feel free to waste space in the code to make it more re &about; - -&using; - &installation; &administration; - -&integration; + +&security; + + +&customization; - -&variants; + +&using; &faq; - -&requiredsoftware; - - -&database; - &patches; - + +&modules; + + &gfdl; @@ -158,8 +189,8 @@ sgml-local-ecat-files:nil sgml-minimize-attributes:nil sgml-namecase-general:t sgml-omittag:t -sgml-parent-document:("Bugzilla-Guide.sgml" "book" "chapter") +sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter") sgml-shorttag:t sgml-tag-region-if-active:t End: ---> +--> \ No newline at end of file diff --git a/docs/en/xml/glossary.xml b/docs/en/xml/glossary.xml index 3e40df58a..08ad45524 100644 --- a/docs/en/xml/glossary.xml +++ b/docs/en/xml/glossary.xml @@ -3,7 +3,7 @@ 0-9, high ascii - + .htaccess @@ -15,10 +15,7 @@ to keep secret files which would otherwise compromise your installation - e.g. the localconfig - - file contains the password to your database. If this information were - generally available, and remote access to your database turned on, - you risk corruption of your database by computer criminals or the + file contains the password to your database. curious. @@ -27,23 +24,66 @@ A - + Apache In this context, Apache is the web server most commonly used - for serving up - Bugzilla - + for serving up Bugzilla pages. Contrary to popular belief, the apache web server has nothing to do with the ancient and noble Native American tribe, but instead derived its name from the fact that it was a patchy - version of the original NCSA - world-wide-web server. + + + Useful Directives when configuring Bugzilla + + + AddHandler + + Tell Apache that it's OK to run CGI scripts. + + + + AllowOverride + Options + + These directives are used to tell Apache many things about + the directory they apply to. For Bugzilla's purposes, we need + them to allow script execution and .htaccess + overrides. + + + + + DirectoryIndex + + Used to tell Apache what files are indexes. If you can + not add index.cgi to the list of valid files, + you'll need to set $index_html to + 1 in localconfig so + ./checksetup.pl will create an + index.html that redirects to + index.cgi. + + + + + ScriptInterpreterSource + + Used when running Apache on windows so the shebang line + doesn't have to be changed in every Bugzilla script. + + + + + + For more information about how to configure Apache for Bugzilla, + see . + @@ -56,7 +96,7 @@ A - Bug + bug in Bugzilla refers to an issue entered into the database which has an associated number, assignments, comments, etc. Some also refer to a @@ -71,40 +111,36 @@ Bug Number - Each Bugzilla Bug is assigned a number that uniquely identifies - that Bug. The Bug associated with a Bug Number can be pulled up via a + Each Bugzilla bug is assigned a number that uniquely identifies + that bug. The bug associated with a bug number can be pulled up via a query, or easily from the very front page by typing the number in the "Find" box. - - Bug Life Cycle + + Bugzilla - A Bug has stages through which it must pass before becoming a - closed bug, - including acceptance, resolution, and verification. The - Bug Life Cycle - - is moderately flexible according to the needs of the organization - using it, though. + Bugzilla is the world-leading free software bug tracking system. + + - - Bugzilla + + C + + Common Gateway Interface + CGI - Bugzilla is the industry-standard bug tracking system. It is - quite popular among Open Source enthusiasts. + CGI is an acronym for Common Gateway Interface. This is + a standard for interfacing an external application with a web server. Bugzilla + is an example of a CGI application. + - - - - - Component @@ -118,23 +154,40 @@ - - CPAN - + Comprehensive Perl Archive Network + CPAN + CPAN stands for the - Comprehensive Perl Archive Network - - . CPAN maintains a large number of extremely useful + Comprehensive Perl Archive Network. + CPAN maintains a large number of extremely useful Perl + modules - encapsulated chunks of code for performing a + particular task. + + + + + contrib - modules. By themselves, Perl modules generally do nothing, but when - used as part of a larger program, they provide much-needed algorithms - and functionality. + + The contrib directory is + a location to put scripts that have been contributed to Bugzilla but + are not a part of the official distribution. These scripts are written + by third parties and may be in languages other than perl. For those + that are in perl, there may be additional modules or other requirements + than those of the offical distribution. + + Scripts in the contrib + directory are not offically supported by the Bugzilla team and may + break in between versions. + + + @@ -142,7 +195,7 @@ D - + daemon @@ -155,13 +208,29 @@ a web server, are generally run as daemons. + + + DOS Attack + + + A DOS, or Denial of Service attack, is when a user attempts to + deny access to a web server by repeatadly accessing a page or sending + malformed requests to a webserver. This can be effectively prevented + by using mod_throttle as described in + . A D-DOS, or + Distributed Denial of Service attack, is when these requests come + from multiple sources at the same time. Unfortunately, these are much + more difficult to defend against. + + + + - - + G - + Groups @@ -169,29 +238,24 @@ Groups has a very special meaning to Bugzilla. Bugzilla's main security - mechanism comes by lumping users into groups, and assigning those - groups certain privileges to + mechanism comes by placing users in groups, and assigning those + groups certain privileges to view bugs in particular Products - - and - Components - in the Bugzilla - database. - - I - - - Infinite Loop + + J + + JavaScript - A loop of information that never ends; see recursion. + JavaScript is cool, we should talk about it. + @@ -199,17 +263,56 @@ M - - mysqld + + Message Transport Agent + MTA - mysqld is the name of the - daemon + A Message Transport Agent is used to control the flow of email + on a system. Many unix based systems use + sendmail which is what + Bugzilla expects to find by default at /usr/sbin/sendmail. + Many other MTA's will work, but they all require that the + param be set to on. + + + - for the MySQL database. In general, it is invoked automatically - through the use of the System V init scripts on GNU/Linux and - AT&T System V-based systems, such as Solaris and HP/UX, or - through the RC scripts on BSD-based systems. + + MySQL + + + MySQL is currently the required + RDBMS for Bugzilla. MySQL + can be downloaded from . While you + should familiarize yourself with all of the documentation, some high + points are: + + + + Backup + + Methods for backing up your Bugzilla database. + + + + + Option Files + + Information about how to configure MySQL using + my.cnf. + + + + + Privilege System + + Much more detailed information about the suggestions in + . + + + + @@ -217,14 +320,25 @@ P + + Perl Package Manager + PPM + + + + + + + Product - A Product is a broad category of types of bugs. In general, - there are several Components to a Product. A Product may also define a + A Product is a broad category of types of bugs, normally + representing a single piece of software or entity. In general, + there are several Components to a Product. A Product may define a group (used for security) for all bugs entered into - components beneath it. + its Components. @@ -262,7 +376,7 @@ bugs over their life cycle, thus the need for the QA Contact - field in a Bug. + field in a bug. @@ -270,16 +384,25 @@ R - - Recursion + + Relational DataBase Managment System + RDBMS - The property of a function looking back at itself for - something. - GNU, for instance, stands for - GNU's Not UNIX, - thus recursing upon itself for definition. For further clarity, see - Infinite Loop. + A relational database management system is a database system + that stores information in tables that are related to each other. + + + + + + Regular Expression + regexp + + + A regular expression is an expression used for pattern matching. + Documentation + @@ -287,6 +410,19 @@ S + + Service + + + In Windows NT environment, a boot-time background application + is refered to as a service. These are generally managed through the + control pannel while logged in as an account with + Administrator level capabilities. For more + information, consult your Windows manual or the MSKB. + + + + SGML @@ -344,18 +480,51 @@ fixed, or an enhancement will be implemented. + + + Tool Command Language + TCL + + TCL is an open source scripting language available for Windows, + Macintosh, and Unix based systems. Bugzilla 1.0 was written in TCL but + never released. The first release of Bugzilla was 2.0, which was when + it was ported to perl. + + + Z - + Zarro Boogs Found - This is the cryptic response sent by Bugzilla when a query - returned no results. It is just a goofy way of saying "Zero Bugs - Found". + This is just a goofy way of saying that there were no bugs + found matching your query. When asked to explain this message, + Terry had the following to say: + + +
+ Terry Weissman + I've been asked to explain this ... way back when, when + Netscape released version 4.0 of its browser, we had a release + party. Naturally, there had been a big push to try and fix every + known bug before the release. Naturally, that hadn't actually + happened. (This is not unique to Netscape or to 4.0; the same thing + has happened with every software project I've ever seen.) Anyway, + at the release party, T-shirts were handed out that said something + like "Netscape 4.0: Zarro Boogs". Just like the software, the + T-shirt had no known bugs. Uh-huh. + + + So, when you query for a list of bugs, and it gets no results, + you can think of this as a friendly reminder. Of *course* there are + bugs matching your query, they just aren't in the bugsystem yet... + +
+ @@ -376,9 +545,8 @@ sgml-local-ecat-files:nil sgml-minimize-attributes:nil sgml-namecase-general:t sgml-omittag:t -sgml-parent-document:("Bugzilla-Guide.sgml" "book" "chapter") +sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter") sgml-shorttag:t sgml-tag-region-if-active:t End: --> - diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml index 09586d326..ab7600432 100644 --- a/docs/en/xml/installation.xml +++ b/docs/en/xml/installation.xml @@ -1,5 +1,5 @@ - + Installing Bugzilla @@ -520,7 +520,8 @@ Poorly-configured MySQL and Bugzilla installations have given attackers full access to systems in the past. Please take the security parts of these guidelines seriously, even for Bugzilla - machines hidden away behind your firewall. + machines hidden away behind your firewall. Be certain to read + for some important security tips.
@@ -560,70 +561,13 @@
MySQL -
- Security - - MySQL ships as insecure by default. - It allows anybody to on the local machine full administrative - capabilities without requiring a password; the special - MySQL root account (note: this is not the same as - the system root) also has no password. - Also, many installations default to running - mysqld as the system root. + + MySQL's default configuration is very insecure. + has some good information for + improving your installation's security. - - - - To disable the anonymous user account - and set a password for the root user, execute the following. The - root user password should be different to the bugs user password - you set in - localconfig in the previous section, - and also different to - the password for the system root account on your machine. - - bash$ mysql mysql - mysql> DELETE FROM user WHERE user = ''; - mysql> UPDATE user SET password = password('new_password') WHERE user = 'root'; - mysql> FLUSH PRIVILEGES; - - From this point forward, to run the - mysql command-line client, - you will need to type - mysql -u root -p and enter - new_password when prompted. - - - - - If you run MySQL on the same machine as your web server, you - should disable remote access to MySQL by adding - the following to your /etc/my.cnf: - - [myslqd] - # Prevent network access to MySQL. - skip-networking - - - - Consult the documentation that came with your system for - information on making mysqld run as an - unprivileged user. - - - - - For added security, you could also run MySQL, or even all - of Bugzilla - in a chroot jail; however, instructions for doing that are beyond - the scope of this document. - - - - - -
- + +
Allow large attachments @@ -765,7 +709,10 @@
Web server Configure your web server according to the instructions in the - appropriate section. The Bugzilla Team recommends Apache. + appropriate section. The Bugzilla Team recommends Apache. No matter + what webserver you choose, make sure that sensitive information is + not remotely available by ensuring that the access controls in + are properly applied.
@@ -825,7 +772,7 @@ Also, and this can't be stressed enough, make sure that files such as localconfig and your data - directory are secured as described in . + directory are secured as described in .
@@ -893,137 +840,6 @@
-
- Web Server Access Controls - - Users of Apache can skip this section because - Bugzilla ships with .htaccess files which - restrict access in the manner required. - Users of other webservers, read on. - - - There are several files in the Bugzilla directory - that should not be accessible from the web. You need to configure - your webserver so they they aren't. Not doing this may reveal - sensitive information such as database passwords. - - - - - In the main Bugzilla directory, you should: - - - Block: - - *.pl - *localconfig* - runtests.sh - - - - - But allow: - - localconfig.js - localconfig.rdf - - - - - - - - In data: - - - Block everything - - - But allow: - - duplicates.rdf - - - - - - - - In data/webdot: - - - If you use a remote webdot server: - - - Block everything - - - But allow - - *.dot - - only for the remote webdot server - - - - - Otherwise, if you use a local GraphViz: - - - Block everything - - - But allow: - - *.png - *.gif - *.jpg - *.map - - - - - - - And if you don't use any dot: - - - Block everything - - - - - - - - In Bugzilla: - - - Block everything - - - - - - In template: - - - Block everything - - - - - - You should test to make sure that the files mentioned above are - not accessible from the Internet, especially your - localconfig file which contains your database - password. To test, simply point your web browser at the file; for - example, to test mozilla.org's installation, we'd try to access - . You should - get a 403 Forbidden - error. - -
@@ -1310,75 +1126,6 @@
-
- - Prevent users injecting malicious - Javascript - - It is possible for a Bugzilla user to take advantage of character - set encoding ambiguities to inject HTML into Bugzilla comments. This - could include malicious scripts. - Due to internationalization concerns, we are unable to - incorporate by default the code changes suggested by - - the CERT advisory on this issue. - If your installation is for an English speaking audience only, making the - change below will prevent this problem. - - - Simply locate the following line in - Bugzilla/CGI.pm: - $self->charset(''); - and change it to: - $self->charset('ISO-8859-1'); - -
- -
- - <filename>mod_throttle</filename> - - It is possible for a user, by mistake or on purpose, to access - the database many times in a row which can result in very slow access - speeds for other users. If your Bugzilla installation is experiencing - this problem, you may install the Apache module - mod_throttle - which can limit connections by IP address. You may download this module - at - . - Follow the instructions to install into your Apache install. - This module only functions with the Apache web - server! - The command you need is - ThrottleClientIP. See the - documentation - for more information. -
- -
- TCP/IP Ports - - A single-box Bugzilla only requires port 80, plus port 25 if - you are using the optional email interface. You should firewall all - other ports and/or disable services listening on them. - -
- -
- Daemon Accounts - - Many daemons, such as Apache's httpd and MySQL's mysqld default to - running as either root or nobody. Running - as root introduces obvious security problems, but the - problems introduced by running everything as nobody may - not be so obvious. Basically, if you're running every daemon as - nobody and one of them gets compromised, they all get - compromised. For this reason it is recommended that you create a user - account for each daemon. - -
Serving Alternate Formats with the right MIME type @@ -1532,7 +1279,7 @@ $smtp->quit; As is the case on Unix based systems, any web server should be able to handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever asked. No matter what web server you choose, be sure - to pay attention to the security notes in . + to pay attention to the security notes in . More information on configuring specific web servers can be found in . @@ -2205,4 +1952,3 @@ sgml-shorttag:t sgml-tag-region-if-active:t End: --> - -- cgit v1.2.3-24-g4f1b