From cf24e4288445591be2595c542fcc9d7e5e0330e0 Mon Sep 17 00:00:00 2001 From: "jake%bugzilla.org" <> Date: Sun, 16 Feb 2003 23:43:17 +0000 Subject: Recompiling the docs for the 2.17.4 development release. --- docs/html/stepbystep.html | 308 +++------------------------------------------- 1 file changed, 15 insertions(+), 293 deletions(-) (limited to 'docs/html/stepbystep.html') diff --git a/docs/html/stepbystep.html b/docs/html/stepbystep.html index 5e5a09522..8de6806b1 100644 --- a/docs/html/stepbystep.html +++ b/docs/html/stepbystep.html @@ -7,7 +7,7 @@ NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ ">
perl -pi -e 's@#\!/usr/bonsaitools/bin/perl@#\!/usr/bin/perl@' *cgi *pl Bug.pm processmail syncshadowdb +> perl -pi -e 's@#\!/usr/bonsaitools/bin/perl@#\!/usr/bin/perl@' *cgi *pl Bug.pm syncshadowdb
If you followed the installation instructions for setting up your - "bugs" and "root" user in MySQL, much of this should not apply to you. - If you are upgrading an existing installation of Bugzilla, you should - pay close attention to this section.
Most MySQL installs have "interesting" default security - parameters: -
mysqld defaults to running as root |
it defaults to allowing external network connections |
it has a known port number, and is easy to detect |
it defaults to no passwords whatsoever |
it defaults to allowing "File_Priv" |
This means anyone from anywhere on the Internet can not only drop - the database with one SQL command, and they can write as root to the - system.
To see your permissions do: -
bash# - - mysql -u root -p - - |
mysql> - - use mysql; - - |
mysql> - - show tables; - - |
mysql> - - select * from user; - - |
mysql> - - select * from db; - - |
To fix the gaping holes: -
DELETE FROM user WHERE User=''; |
UPDATE user SET Password=PASSWORD('new_password') WHERE - user='root'; |
FLUSH PRIVILEGES; |
If you're not running "mit-pthreads" you can use: -
GRANT USAGE ON *.* TO bugs@localhost; |
GRANT ALL ON bugs.* TO bugs@localhost; |
REVOKE DROP ON bugs.* FROM bugs@localhost; |
FLUSH PRIVILEGES; |
With "mit-pthreads" you'll need to modify the "globals.pl" - Mysql->Connect line to specify a specific host name instead of - "localhost", and accept external connections: -
GRANT USAGE ON *.* TO bugs@bounce.hop.com; |
GRANT ALL ON bugs.* TO bugs@bounce.hop.com; |
REVOKE DROP ON bugs.* FROM bugs@bounce.hop.com; |
FLUSH PRIVILEGES; |
Consider also: -
Turning off external networking with "--skip-networking", - unless you have "mit-pthreads", in which case you can't. Without - networking, MySQL connects with a Unix domain socket.
using the --user= option to mysqld to run it as an - unprivileged user.
running MySQL in a chroot jail
running the httpd in a chroot jail
making sure the MySQL passwords are different from the OS - passwords (MySQL "root" has nothing to do with system - "root").
running MySQL on a separate untrusted machine
making backups ;-)