Putting your money in a wall safe is better protection than depending on the fact that + no one knows that you hide your money in a mayonnaise jar in your fridge. |
Note: Poorly-configured MySQL, Bugzilla, and FTP installations have given attackers full + access to systems in the past. Please take these guidelines seriously, even + for Bugzilla machines hidden away behind your firewall. 80% of all computer + trespassers are insiders, not anonymous crackers. +
First thing's first: Secure your installation. +
Note: These instructions must, of necessity, be somewhat vague since Bugzilla runs on so many different + platforms. If you have refinements of these directions for specific platforms, please + submit them to mozilla-webtools@mozilla.org +
Ensure you are running at least MysQL version 3.22.32 or newer. Earlier versions had + notable security holes and poorly secured default configuration choices. +
There is no substitute for understanding the tools on your system! + Read The MySQL Privelege System until you can recite it from memory!
At the very least, ensure you password the "mysql -u root" account and the "bugs" account, establish grant + table rights (consult the Keystone guide in Appendix C: The Bugzilla Database for some easy-to-use details) + that do not allow CREATE, DROP, RELOAD, SHUTDOWN, and PROCESS for user "bugs". I wrote up the Keystone + advice back when I knew far less about security than I do now : ) +
Lock down /etc/inetd.conf. Heck, disable inet entirely on this box. It should only listen to + port 25 for Sendmail + and port 80 for Apache. +
Do not run Apache as "nobody". This will require very lax permissions in your Bugzilla directories. + Run it, instead, as a user with a name, set via your httpd.conf file.
Ensure you have adequate access controls for $BUGZILLA_HOME/data/ and $BUGZILLA_HOME/localconfig. + The localconfig file stores your "bugs" user password, which would be terrible to have in the hands + of a criminal. Also some files under $BUGZILLA_HOME/data store sensitive information. +
On Apache, you can use .htaccess files to protect access to these directories, as outlined + in Bug 57161 for the + localconfig file, and Bug 65572 for adequate protection in your data/ and shadow/ directories. +
Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other + non-Apache web servers, please consult your system documentation for how to secure these + files from being transmitted to curious users. +
Place the following text into a file named ".htaccess", readable by your web server, + in your $BUGZILLA_HOME/data directory. +
<Files comments>
+ allow from all
+ </Files>
+ deny from all
+
Place the following text into a file named ".htaccess", readable by your web server, + in your $BUGZILLA_HOME/ directory. +
<Files localconfig>
+ deny from all
+ </Files>
+ allow from all
+
Place the following text into a file named ".htaccess", readable by your web server, + in your $BUGZILLA_HOME/shadow directory. +
deny from all
+
+