4.5. Bugzilla Security
Poorly-configured MySQL and Bugzilla installations have - given attackers full access to systems in the past. Please take these - guidelines seriously, even for Bugzilla machines hidden away behind - your firewall. 80% of all computer trespassers are insiders, not - anonymous crackers. This is not meant to be a comprehensive list of every possible - security issue pertaining to the software mentioned in this section. - There is - no subsitute for reading the information written by the authors of any - software running on your system. - |
4.5.1. TCP/IP Ports
TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla - only needs 1, or 2 if you need to use features that require e-mail such - as bug moving or the e-mail interface from contrib. You should audit - your server and make sure that you aren't listening on any ports you - don't need to be. You may also wish to use some kind of firewall - software to be sure that trafic can only be recieved on ports you - specify. -
4.5.2. MySQL
MySQL ships by default with many settings that should be changed. - By defaults it allows anybody to connect from localhost without a - password and have full administrative capabilities. It also defaults to - not have a root password (this is not the same as - the system root). Also, many installations default to running - mysqld as the system root. -
Consult the documentation that came with your system for - information on making mysqld run as an - unprivleged user. -
You should also be sure to disable the anonymous user account - and set a password for the root user. This is accomplished using the - following commands: -
bash$ mysql mysql -mysql> DELETE FROM user WHERE user = ''; -mysql> UPDATE user SET password = password('new_password') WHERE user = 'root'; -mysql> FLUSH PRIVILEGES; -From this point forward you will need to use - mysql -u root -p and enter - new_password when prompted when using the - mysql client. -
If you run MySQL on the same machine as your httpd server, you - should consider disabling networking from within MySQL by adding - the following to your /etc/my.conf: -
[myslqd] -# Prevent network access to MySQL. -skip-networking -
You may also consider running MySQL, or even all of Bugzilla - in a chroot jail; however, instructions for doing that are beyond - the scope of this document. -
4.5.3. Daemon Accounts
Many daemons, such as Apache's httpd and MySQL's mysqld default to - running as either "root" or "nobody". Running - as "root" introduces obvious security problems, but the - problems introduced by running everything as "nobody" may - not be so obvious. Basically, if you're running every daemon as - "nobody" and one of them gets compromised, they all get - compromised. For this reason it is recommended that you create a user - account for each daemon. -
You will need to set the webservergroup to - the group you created for your webserver to run as in - localconfig. This will allow - ./checksetup.pl to better adjust the file - permissions on your Bugzilla install so as to not require making - anything world-writable. - |
4.5.4. Web Server Access Controls
There are many files that are placed in the Bugzilla directory - area that should not be accessable from the web. Because of the way - Bugzilla is currently laid out, the list of what should and should - not be accessible is rather complicated. -
Users of Apache don't need to worry about this, however, because - Bugzilla ships with .htaccess files which restrict access to all the - sensitive files in this section. Users of other webservers, read on. -
In the main Bugzilla directory, you should:
Block: - *.pl, *localconfig*, runtests.sh -
But allow: - localconfig.js, localconfig.rdf -
In data:
Block everything
But allow: - duplicates.rdf -
In data/webdot:
If you use a remote webdot server:
Block everything
But allow - *.dot - only for the remote webdot server
Otherwise, if you use a local GraphViz:
Block everything
But allow: - *.png, *.gif, *.jpg, *.map -
And if you don't use any dot:
Block everything
In Bugzilla:
Block everything
In template:
Block everything
You should test to make sure that the files mentioned above are - not accessible from the Internet, especially your - localconfig file which contains your database - password. To test, simply point your web browser at the file; for - example, to test mozilla.org's installation, we'd try to access - http://bugzilla.mozilla.org/localconfig. You should - get a 403 Forbidden - error. -
Not following the instructions in this section, including - testing, may result in sensitive information being globally - accessible. - |
You should check Section 4.2 to see if instructions - have been included for your web server. You should also compare those - instructions with this list to make sure everything is properly - accounted for. - |