From 4294a4f48a5949a181acb033e108a5ea897e1a3c Mon Sep 17 00:00:00 2001 From: "barnboy%trilobyte.net" <> Date: Thu, 26 Apr 2001 08:51:39 +0000 Subject: Added .htaccess files for shadow/, data/, and /. I added related information to the Bugzilla Guide, and tacked in a couple of last-minute additions. Also fixed the annoying "Tip: HINT:" thing. --- docs/html/Bugzilla-Guide.html | 756 +++++++++++++++++++++++++++--------------- docs/html/faq.html | 457 ++++++++++++++----------- docs/html/gfdl.html | 2 +- docs/html/gfdl_howto.html | 2 +- docs/html/glossary.html | 2 +- docs/html/how.html | 8 +- docs/html/index.html | 48 +-- docs/html/installation.html | 22 +- docs/html/programadmin.html | 24 +- docs/html/readme.unix.html | 105 +++++- docs/html/readme.windows.html | 65 +++- docs/html/rhbugzilla.html | 2 +- docs/html/security.html | 39 ++- docs/html/setperl.html | 2 +- docs/sgml/Bugzilla-Guide.sgml | 2 +- docs/sgml/administration.sgml | 28 +- docs/sgml/faq.sgml | 48 +++ docs/sgml/installation.sgml | 95 +++++- docs/txt/Bugzilla-Guide.txt | 282 ++++++++++++---- docs/xml/Bugzilla-Guide.xml | 2 +- docs/xml/administration.xml | 28 +- docs/xml/faq.xml | 48 +++ docs/xml/installation.xml | 95 +++++- 23 files changed, 1544 insertions(+), 618 deletions(-) (limited to 'docs') diff --git a/docs/html/Bugzilla-Guide.html b/docs/html/Bugzilla-Guide.html index 0712a5146..809fd745e 100644 --- a/docs/html/Bugzilla-Guide.html +++ b/docs/html/Bugzilla-Guide.html @@ -306,37 +306,37 @@ HREF="#AEN334" >
2.1.2.14. Setting Up the MySQL Database
2.1.2.15. Tweaking "localconfig"
2.1.2.16. Setting Up Maintainers Manuall (Optional)Setting Up Maintainers Manually (Optional)
2.1.2.17. The Whining Cron (Optional)
2.1.2.18. Bug Graphs (Optional)
2.1.2.19. Securing MySQL
2.1.2.20. Installation General Notes
2-1. Setting up bonsaitools symlink
2-2. Running checksetup.pl as the web user
2-3. Removing encrypt() for Windows NT installations
3-1. Creating some Components
3-2. Common Use of Versions
3-3. A Different Use of Versions
3-4. Using SortKey with Target Milestone
3-5. When to Use Group Security
3-6. Creating a New Group
4-1. Some Famous Software Versions
4-2. Mozilla Webtools Components
D-1. Using Setperl to set your perl path
1. A Sample Product

Tip: HINT: If you symlink the bugzilla directory into your Apache's +> If you symlink the bugzilla directory into your Apache's HTML heirarchy, you may receive "Forbidden" errors unless you add the "FollowSymLinks" directive to the <Directory> entry for the HTML root. @@ -2329,12 +2339,45 @@ CLASS="TIP" installation.

Lastly, you'll need to set up a symbolic link from /usr/bonsaitools/bin - to the correct location of your perl executable (probably /usr/bin/perl). +> Lastly, you'll need to set up a symbolic link to /usr/bonsaitools/bin/perl + for the correct location of your perl executable (probably /usr/bin/perl). Otherwise you must hack all the .cgi files to change where they look for perl. To make future upgrades easier, you should use the symlink approach.

Example 2-1. Setting up bonsaitools symlink

Here's how you set up the Perl symlink on Linux to make Bugzilla work. + Your mileage may vary; if you are running on Solaris, you probably need to subsitute + "/usr/local/bin/perl" for "/usr/bin/perl" below; if on certain other UNIX systems, + Perl may live in weird places like "/opt/perl". As root, run these commands: + 
bash# mkdir /usr/bonsaitools
+bash# mkdir /usr/bonsaitools/bin
+bash# ln -s /usr/bin/perl /usr/bosaitools/bin/perl
+
+

+

2.1.2.14. Setting Up the MySQL Database

2.1.2.15. Tweaking "localconfig"

Note: The second time you run checksetup.pl, it is recommended you be the same - user as your web server runs under, and that you be sure you have set the +> The second time you run checksetup.pl, you should become the + user your web server runs as, and that you ensure you have set the "webservergroup" parameter in localconfig to match the web server's group - name, if any. Under some systems, otherwise, checksetup.pl will goof up - your file permissions and make them unreadable to your web server. + name, if any. I believe, for the next release of Bugzilla, this will + be fixed so that Bugzilla supports a "webserveruser" parameter in localconfig + as well. +

Example 2-2. Running checksetup.pl as the web user

Assuming your web server runs as user "apache", and Bugzilla is installed in + "/usr/local/bugzilla", here's one way to run checksetup.pl as the web server user. + As root, for the second run of checksetup.pl, do this: + 
bash# chown -R apache:apache /usr/local/bugzilla
+bash# su - apache
+bash# cd /usr/local/bugzilla
+bash# ./checksetup.pl
+
+

2.1.2.16. Setting Up Maintainers Manuall (Optional)2.1.2.16. Setting Up Maintainers Manually (Optional)

If you want to add someone else to every group by hand, you can do it @@ -2683,7 +2762,7 @@ CLASS="SECTION" >

2.1.2.17. The Whining Cron (Optional)

2.1.2.18. Bug Graphs (Optional)

2.1.2.19. Securing MySQL

2.1.2.20. Installation General Notes

2.1.2.20.1. Modifying Your Running System

2.1.2.20.2. Upgrading From Previous Versions

2.1.2.20.3. UNIX Installation Instructions History

Tip: From Andrew Pearson:

Tip: "Brian" had this to add, about upgrading to Bugzilla 2.12 from previous versions:

Example 2-1. Removing encrypt() for Windows NT installationsExample 2-3. Removing encrypt() for Windows NT installations

Replace this: @@ -3762,6 +3841,63 @@ open SENDMAIL, "|\"C:/General/Web/tools/Windmail 4.0 Beta/windmail\" -t > ma >

Tip: This was some late breaking information from Jan Evert. Sorry for the lack of formatting. +

I'm busy installing bugzilla on a WinNT machine and I thought I'd notify you
+at this moment of the commments I have to section 2.2.1 of the bugzilla
+guide (at http://www.trilobyte.net/barnsons/html/).
+
+Step 1:
+I've used apache, installation is really straightforward.
+After reading the Unix installation instructions, I found that it is
+necessary to add the ExecCGI option to the bugzilla directory. Also the
+'AddHandler' line for .cgi is by default commented out.
+
+Step 3: although just a detail, 'ppm install <module%gt;' will also work
+(wihtout .ppd). And, it can also download these automatically from
+ActiveState.
+
+Step 4: although I have cygwin installed, it seems that it is not necessary.
+On my machine cygwin is not in the PATH and everything seems to work as
+expected.
+However, I've not used everything yet.
+
+Step 6: the 'bugs_password' given in SQL command d needs to be edited into
+localconfig later on (Step 7) if the password is not empty. I've also edited
+it into globals.pl, but I'm not sure that is needed. In both places, the
+variable is named db_pass.
+
+Step 8: all the sendmail replacements mentioned are not as simple as
+described there. Since I am not familiar (yet) with perl, I don't have any
+mail working yet.
+
+Step 9: in globals.pl the encrypt() call can be replaced by just the
+unencrypted password. In CGI.pl, the complete SQL command can be removed.
+
+Step 11: I've only changed the #! lines in *.cgi. I haven't noticed problems
+with the system() call yet.
+There seem to be only four system() called programs: processmail.pl (handled
+by step 10), syncshadowdb (which should probably get the same treatment as
+processmail.pl), diff and mysqldump. The last one is only needed with the
+shadowdb feature (which I don't use).
+
+There seems to be one step missing: copying the bugzilla files somehwere
+that apache can serve them.
+
+Just noticed the updated guide... Brian's comment is new. His first comment
+will work, but opens up a huge security hole.
+

  • Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and - $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig file. + $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and + $BUGZILLA_HOME/globals.pl files. The localconfig file stores your "bugs" user password, which would be terrible to have in the hands - of a criminal. Also some files under $BUGZILLA_HOME/data/ store sensitive information, and + of a criminal, while the "globals.pl" stores some default information regarding your + installation which could aid a system cracker. + In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and $BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure these directories and this file, you will expose bug information to those who may not be allowed to see it.

    Note: Bugzilla provides default .htaccess files to protect the most common Apache + installations. However, you should verify these are adequate according to the site-wide + security policy of your web server, and ensure that the .htaccess files are + allowed to "override" default permissions set in your Apache configuration files. + Covering Apache security is beyond the scope of this Guide; please consult the Apache + documentation for details. +

    If you are using a web server that does not support the .htaccess control method, + you are at risk! After installing, check to see if you can + view the file "localconfig" in your web browser (ergo: + http://bugzilla.mozilla.org/localconfig. If you can read the contents of this + file, your web server has not secured your bugzilla directory properly and you + must fix this problem before deploying Bugzilla. If, however, it gives you a + "Forbidden" error, then it probably respects the .htaccess conventions and you + are good to go. +

    On Apache, you can use .htaccess files to protect access to these directories, as outlined in

    A.1.1. Where can I find information about Bugzilla?
    A.1.2. What license is Bugzilla distributed under?
    A.1.3. How do I get commercial support for Bugzilla?
    A.1.4. What major companies or projects are currently using Bugzilla for bug-tracking?
    A.1.5. Who maintains Bugzilla?
    A.1.6. How does Bugzilla stack up against other bug-tracking databases?
    A.1.7. How do I change my user name in Bugzilla?
    A.1.8. Why doesn't Bugzilla offer this or that feature or compatability with this other tracking software?
    A.1.9. Why MySQL? I'm interested in seeing Bugzilla run on Oracle/Sybase/Msql/PostgreSQL/MSSQL?
    A.1.10. Why do the scripts say "/usr/bonsaitools/bin/perl" instead of "/usr/bin/perl" or something else?
    A.2.1. What about Red Hat Bugzilla?
    A.2.2. What are the primary benefits of Red Hat Bugzilla?
    A.2.3. What's the current status of Red Hat Bugzilla?
    A.3.1. What about Loki Bugzilla?
    A.3.2. Who maintains Fenris (Loki Bugzilla) now?
    A.3.3.
    A.4.1. Is Bugzilla web-based or do you have to have specific software or specific operating system on your machine?
    A.4.2. Has anyone you know of already done any Bugzilla integration with Perforce (SCM software)?
    A.4.3. Does Bugzilla allow the user to track multiple projects?
    A.4.4. If I am on many projects, and search for all bugs assigned to me, will Bugzilla list them for me and allow me to sort by project, severity etc?
    A.4.5. Does Bugzilla allow attachments (text, screenshots, urls etc)? If yes, are there any that are NOT allowed?
    A.4.6. Does Bugzilla allow us to define our own priorities and levels? Do we have complete freedom to change the labels of fields and format of them, and the choice of acceptable values? @@ -7343,43 +7514,51 @@ HREF="#AEN1502" >
    A.4.7. The index.html page doesn't show the footer. It's really annoying to have + to go to the querypage just to check my "my bugs" link. How do I get a footer + on static HTML pages? +
    A.4.8. Does Bugzilla provide any reporting features, metrics, graphs, etc? You know, the type of stuff that management likes to see. :)
    A.4.8. A.4.9. Is there email notification and if so, what do you see when you get an email? Do you see bug number and title or is it only the number?
    A.4.9. A.4.10. Can email notification be set up to send to multiple people, some on the To List, CC List, BCC List etc?
    A.4.10. A.4.11. If there is email notification, do users have to have any particular type of email application?
    A.4.11. A.4.12. If I just wanted to track certain bugs, as they go through life, can I set it up to alert me via email whenever that bug changes, whether it be owner, status or description etc.?
    A.4.12. A.4.13. Does Bugzilla allow data to be imported and exported? If I had outsiders write up a bug report using a MS Word bug template, could that template be imported into "matching" fields? If I wanted to take the results of a query @@ -7387,76 +7566,76 @@ HREF="#AEN1537"
    A.4.13. A.4.14. Does Bugzilla allow fields to be added, changed or deleted? If I want to customize the bug submission form to meet our needs, can I do that using our terminology?
    A.4.14. A.4.15. Has anyone converted Bugzilla to another language to be used in other countries? Is it localizable?
    A.4.15. A.4.16. Can a user create and save reports? Can they do this in Word format? Excel format?
    A.4.16. A.4.17. Can a user re-run a report with a new project, same query?
    A.4.17. A.4.18. Can a user modify an existing report and then save it into another name?
    A.4.18. A.4.19. Does Bugzilla have the ability to search by word, phrase, compound search?
    A.4.19. A.4.20. Can the admin person establish separate group and individual user privileges?
    A.4.20. A.4.21. Does Bugzilla provide record locking when there is simultaneous access to the same bug? Does the second person get a notice that the bug is in use or how are they notified?
    A.4.21. A.4.22. Are there any backup features provided?
    A.4.22. A.4.23. Can users be on the system while a backup is in progress?
    A.4.23. A.4.24. What type of human resources are needed to be on staff to install and maintain Bugzilla? Specifically, what type of skills does the person need to have? I need to find out if we were to go with Bugzilla, what types of @@ -7465,8 +7644,8 @@ HREF="#AEN1596"
    A.4.24. A.4.25. What time frame are we looking at if we decide to hire people to install and maintain the Bugzilla? Is this something that takes hours or weeks to install and a couple of hours per week to maintain and customize or is this @@ -7475,8 +7654,8 @@ HREF="#AEN1603"
    A.4.25. A.4.26. Is there any licensing fee or other fees for using Bugzilla? Any out-of-pocket cost other than the bodies needed as identified above?
    A.5.1. How do I download and install Bugzilla?
    A.5.2. How do I install Bugzilla on Windows NT?
    A.5.3. Is there an easy way to change the Bugzilla cookie name?
    A.6.1. How do I completely disable MySQL security if it's giving me problems (I've followed the instructions in the README!)?
    A.6.2. Are there any security problems with Bugzilla?
    A.6.3. I've implemented the security fixes mentioned in Chris Yeh's security advisory of 5/10/2000 advising not to run MySQL as root, and am running into problems with MySQL no longer working correctly. @@ -7549,48 +7728,48 @@ HREF="#FAQ_EMAIL" >
    A.7.1. I have a user who doesn't want to receive any more email from Bugzilla. How do I stop it entirely for this user?
    A.7.2. I'm evaluating/testing Bugzilla, and don't want it to send email to anyone but me. How do I do it?
    A.7.3. I want whineatnews.pl to whine at something more, or other than, only new bugs. How do I do it?
    A.7.4. I don't like/want to use Procmail to hand mail off to bug_email.pl. What alternatives do I have?
    A.7.5. How do I set up the email interface to submit/change bugs via email?
    A.7.6. Email takes FOREVER to reach me from bugzilla -- it's extremely slow. What gives?
    A.7.7. How come email never reaches me from bugzilla changes?
    A.8.1. I've heard Bugzilla can be used with Oracle?
    A.8.2. Bugs are missing from queries, but exist in the database (and I can pull them up by specifying the bug ID). What's wrong?
    A.8.3. I think my database might be corrupted, or contain invalid entries. What do I do?
    A.8.4. I want to manually edit some entries in my database. How?
    A.8.5. I try to add myself as a user, but Bugzilla always tells me my password is wrong.
    A.8.6. I think I've set up MySQL permissions correctly, but bugzilla still can't connect.
    A.8.7. How do I synchronize bug information among multiple different Bugzilla databases?
    A.8.8. Why do I get bizarre errors when trying to submit data, particularly problems with "groupset"?
    A.8.9. How come even after I delete bugs, the long descriptions show up?
    A.9.1. What is the easiest way to run Bugzilla on Win32 (Win98+/NT/2K)?
    A.9.2. Is there a "Bundle::Bugzilla" equivalent for Win32?
    A.9.3. CGI's are failing with a "something.cgi is not a valid Windows NT application" error. Why?
    A.9.4. Can I have some general instructions on how to make Bugzilla on Win32 work?
    A.9.5. I'm having trouble with the perl modules for NT not being able to talk to to the database.
    A.10.1. The query page is very confusing. Isn't there a simpler way to query?
    A.10.2. I'm confused by the behavior of the "accept" button in the Show Bug form. Why doesn't it assign the bug to me when I accept it?
    A.10.3. I can't upload anything into the database via the "Create Attachment" link. What am I doing wrong?
    A.10.4. Email submissions to Bugzilla that have attachments end up asking me to save it as a "cgi" file.
    A.10.5. How do I change a keyword in Bugzilla, once some bugs are using it?
    A.11.1. What bugs are in Bugzilla right now?
    A.11.2. How can I change the default priority to a null value? For instance, have the default priority be "---" instead of "P2"?
    A.11.3. What's the best way to submit patches? What guidelines should I follow?

    A.1.1.

    A.1.2.

    A.1.3.

    A.1.4.

    A.1.5.

    A.1.6.

    A.1.7.

    A.1.8.

    A.1.9. Terry Weissman answers,

    A.1.10.

    Here's Terry Weissman's comment, for some historical context:

    A.2.1.

    Dave Lawrence, the original Red Hat Bugzilla maintainer, mentions:

    A.2.2. Dave Lawrence:

    A.2.3. Dave Lawrence:

    A.3.1. Loki Games has a customized version of Bugzilla available at http://fenris.lokigames.com. From that page,

    A.3.2.

    A.3.3.

    A.4.1.

    A.4.2.

    A.4.3.

    A.4.4.

    A.4.5.

    A.4.6.

    A.4.7. The index.html page doesn't show the footer. It's really annoying to have + to go to the querypage just to check my "my bugs" link. How do I get a footer + on static HTML pages? +

    This was a late-breaking question for the Guide, so I just have to + quote the relevant newsgroup thread on it. +

    > AFAIK, most sites (even if they have SSI enabled) won't have #exec cmd
    +> enabled.  Perhaps what would be better is a #include virtual and a
    +> footer.cgi the basically has the "require 'CGI.pl' and PutFooter command.
    +>
    +> Please note that under most configurations, this also requires naming
    +> the file from index.html to index.shtml (and making sure that it will
    +> still be reconized as an index).  Personally, I think this is better on
    +> a per-installation basis (perhaps add something to the FAQ that says how
    +> to do this).
    +
    +Good point.  Yeah, easy enough to do, that it shouldn't be a big deal for
    +someone to take it on if they want it.  FAQ is a good place for it.
    +
    +> Dave Miller wrote:
    +>
    +>> I did a little experimenting with getting the command menu and footer on
    +>> the end of the index page while leaving it as an HTML file...
    +>>
    +>> I was successful. :)
    +>>
    +>> I added this line:
    +>>
    +>> 
    +>>
    +>> Just before the </BODY> </HTML> at the end of the file.  And it worked.
    +>>
    +>> Thought I'd toss that out there.  Should I check this in?  For those that
    +>> have SSI disabled, it'll act like a comment, so I wouldn't think it would
    +>> break anything.
    +   

    A.4.8. Does Bugzilla provide any reporting features, metrics, graphs, etc? You know, the type of stuff that management likes to see. :)

    A.4.8. A.4.9. Is there email notification and if so, what do you see when you get an email? Do you see bug number and title or is it only the number?

    A.4.9. A.4.10. Can email notification be set up to send to multiple people, some on the To List, CC List, BCC List etc?

    A.4.10. A.4.11. If there is email notification, do users have to have any particular type of email application?

    A.4.11. A.4.12. If I just wanted to track certain bugs, as they go through life, can I set it up to alert me via email whenever that bug changes, whether it be owner, status or description etc.? @@ -9000,10 +9236,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.12. A.4.13. Does Bugzilla allow data to be imported and exported? If I had outsiders write up a bug report using a MS Word bug template, could that template be imported into "matching" fields? If I wanted to take the results of a query @@ -9045,10 +9281,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.13. A.4.14. Does Bugzilla allow fields to be added, changed or deleted? If I want to customize the bug submission form to meet our needs, can I do that using our terminology? @@ -9069,10 +9305,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.14. A.4.15. Has anyone converted Bugzilla to another language to be used in other countries? Is it localizable?

    A.4.15. A.4.16. Can a user create and save reports? Can they do this in Word format? Excel format?

    A.4.16. A.4.17. Can a user re-run a report with a new project, same query?

    A.4.17. A.4.18. Can a user modify an existing report and then save it into another name?

    A.4.18. A.4.19. Does Bugzilla have the ability to search by word, phrase, compound search?

    A.4.19. A.4.20. Can the admin person establish separate group and individual user privileges?

    A.4.20. A.4.21. Does Bugzilla provide record locking when there is simultaneous access to the same bug? Does the second person get a notice that the bug is in use or how are they notified? @@ -9235,10 +9471,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.21. A.4.22. Are there any backup features provided?

    • A.4.22. A.4.23. Can users be on the system while a backup is in progress?

    A.4.23. A.4.24. What type of human resources are needed to be on staff to install and maintain Bugzilla? Specifically, what type of skills does the person need to have? I need to find out if we were to go with Bugzilla, what types of @@ -9326,10 +9562,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.24. A.4.25. What time frame are we looking at if we decide to hire people to install and maintain the Bugzilla? Is this something that takes hours or weeks to install and a couple of hours per week to maintain and customize or is this @@ -9357,10 +9593,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.25. A.4.26. Is there any licensing fee or other fees for using Bugzilla? Any out-of-pocket cost other than the bodies needed as identified above?

    A.5.1.

    A.5.2.

    A.5.3.

    A.6.1.

    A.6.2.

    A.6.3.

    A.7.1.

    A.7.2.

    A.7.3.

    A.7.4. You can call bug_email.pl directly from your aliases file, with an entry like this:

    A.7.5.

    A.7.6.

    A.7.7.

    A.8.1.

    A.8.2.

    A.8.3.

    A.8.4.

    A.8.5.

    A.8.6.

    A.8.7.

    A.8.8.

    A.8.9.

    A.9.1.

    A.9.2.

    A.9.3.

    Microsoft has some advice on this matter, as well:

    A.9.4.

    A.9.5.

    A.10.1.

    A.10.2.

    A.10.3.

    A.10.4.

    A.10.5.

    A.11.1.

    A.11.2.

    A.11.3.

    Version 1.1, March 2000

    A.1.1. Where can I find information about Bugzilla?
    A.1.2. What license is Bugzilla distributed under?
    A.1.3. How do I get commercial support for Bugzilla?
    A.1.4. What major companies or projects are currently using Bugzilla for bug-tracking?
    A.1.5. Who maintains Bugzilla?
    A.1.6. How does Bugzilla stack up against other bug-tracking databases?
    A.1.7. How do I change my user name in Bugzilla?
    A.1.8. Why doesn't Bugzilla offer this or that feature or compatability with this other tracking software?
    A.1.9. Why MySQL? I'm interested in seeing Bugzilla run on Oracle/Sybase/Msql/PostgreSQL/MSSQL?
    A.1.10. Why do the scripts say "/usr/bonsaitools/bin/perl" instead of "/usr/bin/perl" or something else?
    A.2.1. What about Red Hat Bugzilla?
    A.2.2. What are the primary benefits of Red Hat Bugzilla?
    A.2.3. What's the current status of Red Hat Bugzilla?
    A.3.1. What about Loki Bugzilla?
    A.3.2. Who maintains Fenris (Loki Bugzilla) now?
    A.3.3.
    A.4.1. Is Bugzilla web-based or do you have to have specific software or specific operating system on your machine?
    A.4.2. Has anyone you know of already done any Bugzilla integration with Perforce (SCM software)?
    A.4.3. Does Bugzilla allow the user to track multiple projects?
    A.4.4. If I am on many projects, and search for all bugs assigned to me, will Bugzilla list them for me and allow me to sort by project, severity etc?
    A.4.5. Does Bugzilla allow attachments (text, screenshots, urls etc)? If yes, are there any that are NOT allowed?
    A.4.6. Does Bugzilla allow us to define our own priorities and levels? Do we have complete freedom to change the labels of fields and format of them, and the choice of acceptable values? @@ -249,43 +249,51 @@ HREF="faq.html#AEN1502" >
    A.4.7. The index.html page doesn't show the footer. It's really annoying to have + to go to the querypage just to check my "my bugs" link. How do I get a footer + on static HTML pages? +
    A.4.8. Does Bugzilla provide any reporting features, metrics, graphs, etc? You know, the type of stuff that management likes to see. :)
    A.4.8. A.4.9. Is there email notification and if so, what do you see when you get an email? Do you see bug number and title or is it only the number?
    A.4.9. A.4.10. Can email notification be set up to send to multiple people, some on the To List, CC List, BCC List etc?
    A.4.10. A.4.11. If there is email notification, do users have to have any particular type of email application?
    A.4.11. A.4.12. If I just wanted to track certain bugs, as they go through life, can I set it up to alert me via email whenever that bug changes, whether it be owner, status or description etc.?
    A.4.12. A.4.13. Does Bugzilla allow data to be imported and exported? If I had outsiders write up a bug report using a MS Word bug template, could that template be imported into "matching" fields? If I wanted to take the results of a query @@ -293,76 +301,76 @@ HREF="faq.html#AEN1537"
    A.4.13. A.4.14. Does Bugzilla allow fields to be added, changed or deleted? If I want to customize the bug submission form to meet our needs, can I do that using our terminology?
    A.4.14. A.4.15. Has anyone converted Bugzilla to another language to be used in other countries? Is it localizable?
    A.4.15. A.4.16. Can a user create and save reports? Can they do this in Word format? Excel format?
    A.4.16. A.4.17. Can a user re-run a report with a new project, same query?
    A.4.17. A.4.18. Can a user modify an existing report and then save it into another name?
    A.4.18. A.4.19. Does Bugzilla have the ability to search by word, phrase, compound search?
    A.4.19. A.4.20. Can the admin person establish separate group and individual user privileges?
    A.4.20. A.4.21. Does Bugzilla provide record locking when there is simultaneous access to the same bug? Does the second person get a notice that the bug is in use or how are they notified?
    A.4.21. A.4.22. Are there any backup features provided?
    A.4.22. A.4.23. Can users be on the system while a backup is in progress?
    A.4.23. A.4.24. What type of human resources are needed to be on staff to install and maintain Bugzilla? Specifically, what type of skills does the person need to have? I need to find out if we were to go with Bugzilla, what types of @@ -371,8 +379,8 @@ HREF="faq.html#AEN1596"
    A.4.24. A.4.25. What time frame are we looking at if we decide to hire people to install and maintain the Bugzilla? Is this something that takes hours or weeks to install and a couple of hours per week to maintain and customize or is this @@ -381,8 +389,8 @@ HREF="faq.html#AEN1603"
    A.4.25. A.4.26. Is there any licensing fee or other fees for using Bugzilla? Any out-of-pocket cost other than the bodies needed as identified above?
    A.5.1. How do I download and install Bugzilla?
    A.5.2. How do I install Bugzilla on Windows NT?
    A.5.3. Is there an easy way to change the Bugzilla cookie name?
    A.6.1. How do I completely disable MySQL security if it's giving me problems (I've followed the instructions in the README!)?
    A.6.2. Are there any security problems with Bugzilla?
    A.6.3. I've implemented the security fixes mentioned in Chris Yeh's security advisory of 5/10/2000 advising not to run MySQL as root, and am running into problems with MySQL no longer working correctly. @@ -455,48 +463,48 @@ HREF="faq.html#FAQ_EMAIL" >
    A.7.1. I have a user who doesn't want to receive any more email from Bugzilla. How do I stop it entirely for this user?
    A.7.2. I'm evaluating/testing Bugzilla, and don't want it to send email to anyone but me. How do I do it?
    A.7.3. I want whineatnews.pl to whine at something more, or other than, only new bugs. How do I do it?
    A.7.4. I don't like/want to use Procmail to hand mail off to bug_email.pl. What alternatives do I have?
    A.7.5. How do I set up the email interface to submit/change bugs via email?
    A.7.6. Email takes FOREVER to reach me from bugzilla -- it's extremely slow. What gives?
    A.7.7. How come email never reaches me from bugzilla changes?
    A.8.1. I've heard Bugzilla can be used with Oracle?
    A.8.2. Bugs are missing from queries, but exist in the database (and I can pull them up by specifying the bug ID). What's wrong?
    A.8.3. I think my database might be corrupted, or contain invalid entries. What do I do?
    A.8.4. I want to manually edit some entries in my database. How?
    A.8.5. I try to add myself as a user, but Bugzilla always tells me my password is wrong.
    A.8.6. I think I've set up MySQL permissions correctly, but bugzilla still can't connect.
    A.8.7. How do I synchronize bug information among multiple different Bugzilla databases?
    A.8.8. Why do I get bizarre errors when trying to submit data, particularly problems with "groupset"?
    A.8.9. How come even after I delete bugs, the long descriptions show up?
    A.9.1. What is the easiest way to run Bugzilla on Win32 (Win98+/NT/2K)?
    A.9.2. Is there a "Bundle::Bugzilla" equivalent for Win32?
    A.9.3. CGI's are failing with a "something.cgi is not a valid Windows NT application" error. Why?
    A.9.4. Can I have some general instructions on how to make Bugzilla on Win32 work?
    A.9.5. I'm having trouble with the perl modules for NT not being able to talk to to the database.
    A.10.1. The query page is very confusing. Isn't there a simpler way to query?
    A.10.2. I'm confused by the behavior of the "accept" button in the Show Bug form. Why doesn't it assign the bug to me when I accept it?
    A.10.3. I can't upload anything into the database via the "Create Attachment" link. What am I doing wrong?
    A.10.4. Email submissions to Bugzilla that have attachments end up asking me to save it as a "cgi" file.
    A.10.5. How do I change a keyword in Bugzilla, once some bugs are using it?
    A.11.1. What bugs are in Bugzilla right now?
    A.11.2. How can I change the default priority to a null value? For instance, have the default priority be "---" instead of "P2"?
    A.11.3. What's the best way to submit patches? What guidelines should I follow?

    A.1.1.

    A.1.2.

    A.1.3.

    A.1.4.

    A.1.5.

    A.1.6.

    A.1.7.

    A.1.8.

    A.1.9. Terry Weissman answers,

    A.1.10.

    Here's Terry Weissman's comment, for some historical context:

    A.2.1.

    Dave Lawrence, the original Red Hat Bugzilla maintainer, mentions:

    A.2.2. Dave Lawrence:

    A.2.3. Dave Lawrence:

    A.3.1. Loki Games has a customized version of Bugzilla available at http://fenris.lokigames.com. From that page,

    A.3.2.

    A.3.3.

    A.4.1.

    A.4.2.

    A.4.3.

    A.4.4.

    A.4.5.

    A.4.6.

    A.4.7. The index.html page doesn't show the footer. It's really annoying to have + to go to the querypage just to check my "my bugs" link. How do I get a footer + on static HTML pages? +

    This was a late-breaking question for the Guide, so I just have to + quote the relevant newsgroup thread on it. +

    > AFAIK, most sites (even if they have SSI enabled) won't have #exec cmd
    +> enabled.  Perhaps what would be better is a #include virtual and a
    +> footer.cgi the basically has the "require 'CGI.pl' and PutFooter command.
    +>
    +> Please note that under most configurations, this also requires naming
    +> the file from index.html to index.shtml (and making sure that it will
    +> still be reconized as an index).  Personally, I think this is better on
    +> a per-installation basis (perhaps add something to the FAQ that says how
    +> to do this).
    +
    +Good point.  Yeah, easy enough to do, that it shouldn't be a big deal for
    +someone to take it on if they want it.  FAQ is a good place for it.
    +
    +> Dave Miller wrote:
    +>
    +>> I did a little experimenting with getting the command menu and footer on
    +>> the end of the index page while leaving it as an HTML file...
    +>>
    +>> I was successful. :)
    +>>
    +>> I added this line:
    +>>
    +>> 
    +>>
    +>> Just before the </BODY> </HTML> at the end of the file.  And it worked.
    +>>
    +>> Thought I'd toss that out there.  Should I check this in?  For those that
    +>> have SSI disabled, it'll act like a comment, so I wouldn't think it would
    +>> break anything.
    +   

    A.4.8. Does Bugzilla provide any reporting features, metrics, graphs, etc? You know, the type of stuff that management likes to see. :)

    A.4.8. A.4.9. Is there email notification and if so, what do you see when you get an email? Do you see bug number and title or is it only the number?

    A.4.9. A.4.10. Can email notification be set up to send to multiple people, some on the To List, CC List, BCC List etc?

    A.4.10. A.4.11. If there is email notification, do users have to have any particular type of email application?

    A.4.11. A.4.12. If I just wanted to track certain bugs, as they go through life, can I set it up to alert me via email whenever that bug changes, whether it be owner, status or description etc.? @@ -1906,10 +1971,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.12. A.4.13. Does Bugzilla allow data to be imported and exported? If I had outsiders write up a bug report using a MS Word bug template, could that template be imported into "matching" fields? If I wanted to take the results of a query @@ -1951,10 +2016,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.13. A.4.14. Does Bugzilla allow fields to be added, changed or deleted? If I want to customize the bug submission form to meet our needs, can I do that using our terminology? @@ -1975,10 +2040,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.14. A.4.15. Has anyone converted Bugzilla to another language to be used in other countries? Is it localizable?

    A.4.15. A.4.16. Can a user create and save reports? Can they do this in Word format? Excel format?

    A.4.16. A.4.17. Can a user re-run a report with a new project, same query?

    A.4.17. A.4.18. Can a user modify an existing report and then save it into another name?

    A.4.18. A.4.19. Does Bugzilla have the ability to search by word, phrase, compound search?

    A.4.19. A.4.20. Can the admin person establish separate group and individual user privileges?

    A.4.20. A.4.21. Does Bugzilla provide record locking when there is simultaneous access to the same bug? Does the second person get a notice that the bug is in use or how are they notified? @@ -2141,10 +2206,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.21. A.4.22. Are there any backup features provided?

    A.4.22. A.4.23. Can users be on the system while a backup is in progress?

    A.4.23. A.4.24. What type of human resources are needed to be on staff to install and maintain Bugzilla? Specifically, what type of skills does the person need to have? I need to find out if we were to go with Bugzilla, what types of @@ -2232,10 +2297,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.24. A.4.25. What time frame are we looking at if we decide to hire people to install and maintain the Bugzilla? Is this something that takes hours or weeks to install and a couple of hours per week to maintain and customize or is this @@ -2263,10 +2328,10 @@ CLASS="QANDAENTRY" CLASS="QUESTION" >

    A.4.25. A.4.26. Is there any licensing fee or other fees for using Bugzilla? Any out-of-pocket cost other than the bodies needed as identified above?

    A.5.1.

    A.5.2.

    A.5.3.

    A.6.1.

    A.6.2.

    A.6.3.

    A.7.1.

    A.7.2.

    A.7.3.

    A.7.4. You can call bug_email.pl directly from your aliases file, with an entry like this:

    A.7.5.

    A.7.6.

    A.7.7.

    A.8.1.

    A.8.2.

    A.8.3.

    A.8.4.

    A.8.5.

    A.8.6.

    A.8.7.

    A.8.8.

    A.8.9.

    A.9.1.

    A.9.2.

    A.9.3.

    Microsoft has some advice on this matter, as well:

    A.9.4.

    A.9.5.

    A.10.1.

    A.10.2.

    A.10.3.

    A.10.4.

    A.10.5.

    A.11.1.

    A.11.2.

    A.11.3.

    Version 1.1, March 2000

    2.1.2.14. Setting Up the MySQL Database
    2.1.2.15. Tweaking "localconfig"
    2.1.2.16. Setting Up Maintainers Manuall (Optional)Setting Up Maintainers Manually (Optional)
    2.1.2.17. The Whining Cron (Optional)
    2.1.2.18. Bug Graphs (Optional)
    2.1.2.19. Securing MySQL
    2.1.2.20. Installation General Notes
    2-1. Setting up bonsaitools symlink
    2-2. Running checksetup.pl as the web user
    2-3. Removing encrypt() for Windows NT installations
    3-1. Creating some Components
    3-2. Common Use of Versions
    3-3. A Different Use of Versions
    3-4. Using SortKey with Target Milestone
    3-5. When to Use Group Security
    3-6. Creating a New Group
    4-1. Some Famous Software Versions
    4-2. Mozilla Webtools Components
    D-1. Using Setperl to set your perl path
    1. A Sample Product
    2.1.2.14. Setting Up the MySQL Database
    2.1.2.15. Tweaking "localconfig"
    2.1.2.16. Setting Up Maintainers Manuall (Optional)Setting Up Maintainers Manually (Optional)
    2.1.2.17. The Whining Cron (Optional)
    2.1.2.18. Bug Graphs (Optional)
    2.1.2.19. Securing MySQL
    2.1.2.20. Installation General Notes
    2.1.2.20.1. Modifying Your Running System
    2.1.2.20.2. Upgrading From Previous Versions
    2.1.2.20.3. UNIX Installation Instructions History

    Tip: HINT: If you symlink the bugzilla directory into your Apache's +> If you symlink the bugzilla directory into your Apache's HTML heirarchy, you may receive "Forbidden" errors unless you add the "FollowSymLinks" directive to the <Directory> entry for the HTML root. @@ -866,12 +866,45 @@ CLASS="TIP" installation.

    Lastly, you'll need to set up a symbolic link from /usr/bonsaitools/bin - to the correct location of your perl executable (probably /usr/bin/perl). +> Lastly, you'll need to set up a symbolic link to /usr/bonsaitools/bin/perl + for the correct location of your perl executable (probably /usr/bin/perl). Otherwise you must hack all the .cgi files to change where they look for perl. To make future upgrades easier, you should use the symlink approach.

    Example 2-1. Setting up bonsaitools symlink

    Here's how you set up the Perl symlink on Linux to make Bugzilla work. + Your mileage may vary; if you are running on Solaris, you probably need to subsitute + "/usr/local/bin/perl" for "/usr/bin/perl" below; if on certain other UNIX systems, + Perl may live in weird places like "/opt/perl". As root, run these commands: + 
    bash# mkdir /usr/bonsaitools
+bash# mkdir /usr/bonsaitools/bin
+bash# ln -s /usr/bin/perl /usr/bosaitools/bin/perl
+
    +

    +

    2.1.2.14. Setting Up the MySQL Database

    2.1.2.15. Tweaking "localconfig"

    Note: The second time you run checksetup.pl, it is recommended you be the same - user as your web server runs under, and that you be sure you have set the +> The second time you run checksetup.pl, you should become the + user your web server runs as, and that you ensure you have set the "webservergroup" parameter in localconfig to match the web server's group - name, if any. Under some systems, otherwise, checksetup.pl will goof up - your file permissions and make them unreadable to your web server. + name, if any. I believe, for the next release of Bugzilla, this will + be fixed so that Bugzilla supports a "webserveruser" parameter in localconfig + as well. +

    Example 2-2. Running checksetup.pl as the web user

    Assuming your web server runs as user "apache", and Bugzilla is installed in + "/usr/local/bugzilla", here's one way to run checksetup.pl as the web server user. + As root, for the second run of checksetup.pl, do this: + 
    bash# chown -R apache:apache /usr/local/bugzilla
+bash# su - apache
+bash# cd /usr/local/bugzilla
+bash# ./checksetup.pl
+
    +

    2.1.2.16. Setting Up Maintainers Manuall (Optional)2.1.2.16. Setting Up Maintainers Manually (Optional)

    If you want to add someone else to every group by hand, you can do it @@ -1220,7 +1289,7 @@ CLASS="SECTION" >

    2.1.2.17. The Whining Cron (Optional)

    2.1.2.18. Bug Graphs (Optional)

    2.1.2.19. Securing MySQL

    2.1.2.20. Installation General Notes

    2.1.2.20.1. Modifying Your Running System

    2.1.2.20.2. Upgrading From Previous Versions

    2.1.2.20.3. UNIX Installation Instructions History

    Tip: From Andrew Pearson:

    Tip: "Brian" had this to add, about upgrading to Bugzilla 2.12 from previous versions:

    Example 2-1. Removing encrypt() for Windows NT installationsExample 2-3. Removing encrypt() for Windows NT installations

    Replace this: @@ -691,6 +691,63 @@ open SENDMAIL, "|\"C:/General/Web/tools/Windmail 4.0 Beta/windmail\" -t > ma >

    Tip: This was some late breaking information from Jan Evert. Sorry for the lack of formatting. +

    I'm busy installing bugzilla on a WinNT machine and I thought I'd notify you
    +at this moment of the commments I have to section 2.2.1 of the bugzilla
    +guide (at http://www.trilobyte.net/barnsons/html/).
    +
    +Step 1:
    +I've used apache, installation is really straightforward.
    +After reading the Unix installation instructions, I found that it is
    +necessary to add the ExecCGI option to the bugzilla directory. Also the
    +'AddHandler' line for .cgi is by default commented out.
    +
    +Step 3: although just a detail, 'ppm install <module%gt;' will also work
    +(wihtout .ppd). And, it can also download these automatically from
    +ActiveState.
    +
    +Step 4: although I have cygwin installed, it seems that it is not necessary.
    +On my machine cygwin is not in the PATH and everything seems to work as
    +expected.
    +However, I've not used everything yet.
    +
    +Step 6: the 'bugs_password' given in SQL command d needs to be edited into
    +localconfig later on (Step 7) if the password is not empty. I've also edited
    +it into globals.pl, but I'm not sure that is needed. In both places, the
    +variable is named db_pass.
    +
    +Step 8: all the sendmail replacements mentioned are not as simple as
    +described there. Since I am not familiar (yet) with perl, I don't have any
    +mail working yet.
    +
    +Step 9: in globals.pl the encrypt() call can be replaced by just the
    +unencrypted password. In CGI.pl, the complete SQL command can be removed.
    +
    +Step 11: I've only changed the #! lines in *.cgi. I haven't noticed problems
    +with the system() call yet.
    +There seem to be only four system() called programs: processmail.pl (handled
    +by step 10), syncshadowdb (which should probably get the same treatment as
    +processmail.pl), diff and mysqldump. The last one is only needed with the
    +shadowdb feature (which I don't use).
    +
    +There seems to be one step missing: copying the bugzilla files somehwere
    +that apache can serve them.
    +
    +Just noticed the updated guide... Brian's comment is new. His first comment
    +will work, but opens up a huge security hole.
    +

  • Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and - $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig file. + $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and + $BUGZILLA_HOME/globals.pl files. The localconfig file stores your "bugs" user password, which would be terrible to have in the hands - of a criminal. Also some files under $BUGZILLA_HOME/data/ store sensitive information, and + of a criminal, while the "globals.pl" stores some default information regarding your + installation which could aid a system cracker. + In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and $BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure these directories and this file, you will expose bug information to those who may not be allowed to see it.

    Note: Bugzilla provides default .htaccess files to protect the most common Apache + installations. However, you should verify these are adequate according to the site-wide + security policy of your web server, and ensure that the .htaccess files are + allowed to "override" default permissions set in your Apache configuration files. + Covering Apache security is beyond the scope of this Guide; please consult the Apache + documentation for details. +

    If you are using a web server that does not support the .htaccess control method, + you are at risk! After installing, check to see if you can + view the file "localconfig" in your web browser (ergo: + http://bugzilla.mozilla.org/localconfig. If you can read the contents of this + file, your web server has not secured your bugzilla directory properly and you + must fix this problem before deploying Bugzilla. If, however, it gives you a + "Forbidden" error, then it probably respects the .htaccess conventions and you + are good to go. +

    On Apache, you can use .htaccess files to protect access to these directories, as outlined in

    The Bugzilla Guide - v2.12.0, 24 April 2001 + 2001-04-25 Matthew P. diff --git a/docs/sgml/administration.sgml b/docs/sgml/administration.sgml index a35ba047d..8ca600c54 100644 --- a/docs/sgml/administration.sgml +++ b/docs/sgml/administration.sgml @@ -1049,14 +1049,38 @@ operating parameters for bugzilla. Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and - $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig file. + $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and + $BUGZILLA_HOME/globals.pl files. The localconfig file stores your "bugs" user password, which would be terrible to have in the hands - of a criminal. Also some files under $BUGZILLA_HOME/data/ store sensitive information, and + of a criminal, while the "globals.pl" stores some default information regarding your + installation which could aid a system cracker. + In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and $BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure these directories and this file, you will expose bug information to those who may not be allowed to see it. + + + Bugzilla provides default .htaccess files to protect the most common Apache + installations. However, you should verify these are adequate according to the site-wide + security policy of your web server, and ensure that the .htaccess files are + allowed to "override" default permissions set in your Apache configuration files. + Covering Apache security is beyond the scope of this Guide; please consult the Apache + documentation for details. + + + If you are using a web server that does not support the .htaccess control method, + you are at risk! After installing, check to see if you can + view the file "localconfig" in your web browser (ergo: + + http://bugzilla.mozilla.org/localconfig. If you can read the contents of this + file, your web server has not secured your bugzilla directory properly and you + must fix this problem before deploying Bugzilla. If, however, it gives you a + "Forbidden" error, then it probably respects the .htaccess conventions and you + are good to go. + + On Apache, you can use .htaccess files to protect access to these directories, as outlined in Bug 57161 for the diff --git a/docs/sgml/faq.sgml b/docs/sgml/faq.sgml index b7ca03201..2b67890a9 100644 --- a/docs/sgml/faq.sgml +++ b/docs/sgml/faq.sgml @@ -680,6 +680,54 @@ + + + + + The index.html page doesn't show the footer. It's really annoying to have + to go to the querypage just to check my "my bugs" link. How do I get a footer + on static HTML pages? + + + + + This was a late-breaking question for the Guide, so I just have to + quote the relevant newsgroup thread on it. + + +> AFAIK, most sites (even if they have SSI enabled) won't have #exec cmd +> enabled. Perhaps what would be better is a #include virtual and a +> footer.cgi the basically has the "require 'CGI.pl' and PutFooter command. +> +> Please note that under most configurations, this also requires naming +> the file from index.html to index.shtml (and making sure that it will +> still be reconized as an index). Personally, I think this is better on +> a per-installation basis (perhaps add something to the FAQ that says how +> to do this). + +Good point. Yeah, easy enough to do, that it shouldn't be a big deal for +someone to take it on if they want it. FAQ is a good place for it. + +> Dave Miller wrote: +> +>> I did a little experimenting with getting the command menu and footer on +>> the end of the index page while leaving it as an HTML file... +>> +>> I was successful. :) +>> +>> I added this line: +>> +>> +>> +>> Just before the </BODY> </HTML> at the end of the file. And it worked. +>> +>> Thought I'd toss that out there. Should I check this in? For those that +>> have SSI disabled, it'll act like a comment, so I wouldn't think it would +>> break anything. + + + diff --git a/docs/sgml/installation.sgml b/docs/sgml/installation.sgml index 03ff0bd8d..8165afd6d 100644 --- a/docs/sgml/installation.sgml +++ b/docs/sgml/installation.sgml @@ -479,7 +479,7 @@ - HINT: If you symlink the bugzilla directory into your Apache's + If you symlink the bugzilla directory into your Apache's HTML heirarchy, you may receive "Forbidden" errors unless you add the "FollowSymLinks" directive to the <Directory> entry for the HTML root. @@ -493,11 +493,25 @@ installation. - Lastly, you'll need to set up a symbolic link from /usr/bonsaitools/bin - to the correct location of your perl executable (probably /usr/bin/perl). + Lastly, you'll need to set up a symbolic link to /usr/bonsaitools/bin/perl + for the correct location of your perl executable (probably /usr/bin/perl). Otherwise you must hack all the .cgi files to change where they look for perl. To make future upgrades easier, you should use the symlink approach. + + Setting up bonsaitools symlink + + Here's how you set up the Perl symlink on Linux to make Bugzilla work. + Your mileage may vary; if you are running on Solaris, you probably need to subsitute + "/usr/local/bin/perl" for "/usr/bin/perl" below; if on certain other UNIX systems, + Perl may live in weird places like "/opt/perl". As root, run these commands: + +bash# mkdir /usr/bonsaitools +bash# mkdir /usr/bonsaitools/bin +bash# ln -s /usr/bin/perl /usr/bosaitools/bin/perl + + + If you don't have root access to set this symlink up, check out the @@ -663,11 +677,26 @@ Now regenerating the shadow database for all bugs. - The second time you run checksetup.pl, it is recommended you be the same - user as your web server runs under, and that you be sure you have set the + The second time you run checksetup.pl, you should become the + user your web server runs as, and that you ensure you have set the "webservergroup" parameter in localconfig to match the web server's group - name, if any. Under some systems, otherwise, checksetup.pl will goof up - your file permissions and make them unreadable to your web server. + name, if any. I believe, for the next release of Bugzilla, this will + be fixed so that Bugzilla supports a "webserveruser" parameter in localconfig + as well. + + Running checksetup.pl as the web user + + Assuming your web server runs as user "apache", and Bugzilla is installed in + "/usr/local/bugzilla", here's one way to run checksetup.pl as the web server user. + As root, for the second run of checksetup.pl, do this: + +bash# chown -R apache:apache /usr/local/bugzilla +bash# su - apache +bash# cd /usr/local/bugzilla +bash# ./checksetup.pl + + + @@ -680,7 +709,7 @@

    - Setting Up Maintainers Manuall (Optional) + Setting Up Maintainers Manually (Optional) If you want to add someone else to every group by hand, you can do it by typing the appropriate MySQL commands. Run ' @@ -1295,6 +1324,56 @@ open SENDMAIL, "|\"C:/General/Web/tools/Windmail 4.0 Beta/windmail\" -t > mail.l
    • + + + This was some late breaking information from Jan Evert. Sorry for the lack of formatting. + + +I'm busy installing bugzilla on a WinNT machine and I thought I'd notify you +at this moment of the commments I have to section 2.2.1 of the bugzilla +guide (at http://www.trilobyte.net/barnsons/html/). + +Step 1: +I've used apache, installation is really straightforward. +After reading the Unix installation instructions, I found that it is +necessary to add the ExecCGI option to the bugzilla directory. Also the +'AddHandler' line for .cgi is by default commented out. + +Step 3: although just a detail, 'ppm install <module%gt;' will also work +(wihtout .ppd). And, it can also download these automatically from +ActiveState. + +Step 4: although I have cygwin installed, it seems that it is not necessary. +On my machine cygwin is not in the PATH and everything seems to work as +expected. +However, I've not used everything yet. + +Step 6: the 'bugs_password' given in SQL command d needs to be edited into +localconfig later on (Step 7) if the password is not empty. I've also edited +it into globals.pl, but I'm not sure that is needed. In both places, the +variable is named db_pass. + +Step 8: all the sendmail replacements mentioned are not as simple as +described there. Since I am not familiar (yet) with perl, I don't have any +mail working yet. + +Step 9: in globals.pl the encrypt() call can be replaced by just the +unencrypted password. In CGI.pl, the complete SQL command can be removed. + +Step 11: I've only changed the #! lines in *.cgi. I haven't noticed problems +with the system() call yet. +There seem to be only four system() called programs: processmail.pl (handled +by step 10), syncshadowdb (which should probably get the same treatment as +processmail.pl), diff and mysqldump. The last one is only needed with the +shadowdb feature (which I don't use). + +There seems to be one step missing: copying the bugzilla files somehwere +that apache can serve them. + +Just noticed the updated guide... Brian's comment is new. His first comment +will work, but opens up a huge security hole. + + diff --git a/docs/txt/Bugzilla-Guide.txt b/docs/txt/Bugzilla-Guide.txt index b31a112e6..2c2ed648e 100644 --- a/docs/txt/Bugzilla-Guide.txt +++ b/docs/txt/Bugzilla-Guide.txt @@ -64,7 +64,7 @@ Matthew P. Barnson 2.1.2.13. Installing the Bugzilla Files 2.1.2.14. Setting Up the MySQL Database 2.1.2.15. Tweaking "localconfig" - 2.1.2.16. Setting Up Maintainers Manuall (Optional) + 2.1.2.16. Setting Up Maintainers Manually (Optional) 2.1.2.17. The Whining Cron (Optional) 2.1.2.18. Bug Graphs (Optional) 2.1.2.19. Securing MySQL @@ -179,7 +179,9 @@ Matthew P. Barnson Glossary List of Examples - 2-1. Removing encrypt() for Windows NT installations + 2-1. Setting up bonsaitools symlink + 2-2. Running checksetup.pl as the web user + 2-3. Removing encrypt() for Windows NT installations 3-1. Creating some Components 3-2. Common Use of Versions 3-3. A Different Use of Versions @@ -709,10 +711,10 @@ Chapter 2. Installing Bugzilla Bugzilla) and make sure you can access the files in that directory through your web server. - Tip: HINT: If you symlink the bugzilla directory into your Apache's - HTML heirarchy, you may receive "Forbidden" errors unless you add - the "FollowSymLinks" directive to the entry for the - HTML root. + Tip: If you symlink the bugzilla directory into your Apache's HTML + heirarchy, you may receive "Forbidden" errors unless you add the + "FollowSymLinks" directive to the entry for the HTML + root. Once all the files are in a web accessible directory, make that directory writable by your webserver's user (which may require just @@ -720,11 +722,22 @@ Chapter 2. Installing Bugzilla post-install "checksetup.pl" script, which locks down your installation. - Lastly, you'll need to set up a symbolic link from - /usr/bonsaitools/bin to the correct location of your perl executable - (probably /usr/bin/perl). Otherwise you must hack all the .cgi files - to change where they look for perl. To make future upgrades easier, - you should use the symlink approach. + Lastly, you'll need to set up a symbolic link to + /usr/bonsaitools/bin/perl for the correct location of your perl + executable (probably /usr/bin/perl). Otherwise you must hack all the + .cgi files to change where they look for perl. To make future upgrades + easier, you should use the symlink approach. + + Example 2-1. Setting up bonsaitools symlink + + Here's how you set up the Perl symlink on Linux to make Bugzilla work. + Your mileage may vary; if you are running on Solaris, you probably + need to subsitute "/usr/local/bin/perl" for "/usr/bin/perl" below; if + on certain other UNIX systems, Perl may live in weird places like + "/opt/perl". As root, run these commands: +bash# mkdir /usr/bonsaitools +bash# mkdir /usr/bonsaitools/bin +bash# ln -s /usr/bin/perl /usr/bosaitools/bin/perl Tip: If you don't have root access to set this symlink up, check out the "setperl.csh" utility, listed in the Patches section of @@ -813,19 +826,30 @@ Chapter 2. Installing Bugzilla with multiple instances. If flock() is not fully supported, it will stall at: Now regenerating the shadow database for all bugs. - Note: The second time you run checksetup.pl, it is recommended you - be the same user as your web server runs under, and that you be - sure you have set the "webservergroup" parameter in localconfig to - match the web server's group name, if any. Under some systems, - otherwise, checksetup.pl will goof up your file permissions and - make them unreadable to your web server. + Note: The second time you run checksetup.pl, you should become the + user your web server runs as, and that you ensure you have set the + "webservergroup" parameter in localconfig to match the web server's + group name, if any. I believe, for the next release of Bugzilla, + this will be fixed so that Bugzilla supports a "webserveruser" + parameter in localconfig as well. + + Example 2-2. Running checksetup.pl as the web user + + Assuming your web server runs as user "apache", and Bugzilla is + installed in "/usr/local/bugzilla", here's one way to run + checksetup.pl as the web server user. As root, for the second run of + checksetup.pl, do this: +bash# chown -R apache:apache /usr/local/bugzilla +bash# su - apache +bash# cd /usr/local/bugzilla +bash# ./checksetup.pl Note: The checksetup.pl script is designed so that you can run it at any time without causing harm. You should run it after any upgrade to Bugzilla. _________________________________________________________________ -2.1.2.16. Setting Up Maintainers Manuall (Optional) +2.1.2.16. Setting Up Maintainers Manually (Optional) If you want to add someone else to every group by hand, you can do it by typing the appropriate MySQL commands. Run ' mysql -u root -p bugs' @@ -1125,7 +1149,7 @@ my $webservergid = 'Administrators' 2. I then ran checksetup.pl 3. I removed all the encrypt() - Example 2-1. Removing encrypt() for Windows NT installations + Example 2-3. Removing encrypt() for Windows NT installations Replace this: SendSQL("SELECT encrypt(" . SqlQuote($enteredpwd) . ", " . @@ -1148,6 +1172,64 @@ log"; The quotes around the dir is for the spaces. mail.log is for the output + + Tip: This was some late breaking information from Jan Evert. Sorry + for the lack of formatting. + + I'm busy installing bugzilla on a WinNT machine and I thought I'd n + otify you + at this moment of the commments I have to section 2.2.1 of the bugz + illa + guide (at http://www.trilobyte.net/barnsons/html/). + Step 1: + I've used apache, installation is really straightforward. + After reading the Unix installation instructions, I found that it i + s + necessary to add the ExecCGI option to the bugzilla directory. Also + the + 'AddHandler' line for .cgi is by default commented out. + Step 3: although just a detail, 'ppm install AFAIK, most sites (even if they have SSI enabled) won't have #exec c + md + > enabled. Perhaps what would be better is a #include virtual and a + > footer.cgi the basically has the "require 'CGI.pl' and PutFooter com + mand. + > + > Please note that under most configurations, this also requires namin + g + > the file from index.html to index.shtml (and making sure that it wil + l + > still be reconized as an index). Personally, I think this is better + on + > a per-installation basis (perhaps add something to the FAQ that says + how + > to do this). + Good point. Yeah, easy enough to do, that it shouldn't be a big deal + for + someone to take it on if they want it. FAQ is a good place for it. + > Dave Miller wrote: + > + >> I did a little experimenting with getting the command menu and foot + er on + >> the end of the index page while leaving it as an HTML file... + >> + >> I was successful. :) + >> + >> I added this line: + >> + >> + >> + >> Just before the at the end of the file. And it wor + ked. + >> + >> Thought I'd toss that out there. Should I check this in? For thos + e that + >> have SSI disabled, it'll act like a comment, so I wouldn't think it + would + >> break anything. + + A.4.8. Does Bugzilla provide any reporting features, metrics, graphs, etc? You know, the type of stuff that management likes to see. :) Yes. Look at http://bugzilla.mozilla.org/reports.cgi for basic @@ -3371,7 +3523,7 @@ Appendix A. The Bugzilla FAQ Advanced Reporting is a Bugzilla 3.X proposed feature. - A.4.8. Is there email notification and if so, what do you see when you + A.4.9. Is there email notification and if so, what do you see when you get an email? Do you see bug number and title or is it only the number? @@ -3379,12 +3531,12 @@ Appendix A. The Bugzilla FAQ bug report accompany each email notification, along with a list of the changes made. - A.4.9. Can email notification be set up to send to multiple people, + A.4.10. Can email notification be set up to send to multiple people, some on the To List, CC List, BCC List etc? Yes. - A.4.10. If there is email notification, do users have to have any + A.4.11. If there is email notification, do users have to have any particular type of email application? Bugzilla email is sent in plain text, the most compatible mail format @@ -3398,7 +3550,7 @@ Appendix A. The Bugzilla FAQ user sends HTML-based email into Bugzilla the resulting comment looks downright awful. - A.4.11. If I just wanted to track certain bugs, as they go through + A.4.12. If I just wanted to track certain bugs, as they go through life, can I set it up to alert me via email whenever that bug changes, whether it be owner, status or description etc.? @@ -3407,7 +3559,7 @@ Appendix A. The Bugzilla FAQ tab of the User Preferences screen in Bugzilla to the "Only those bugs which I am listed on the CC line" option. - A.4.12. Does Bugzilla allow data to be imported and exported? If I had + A.4.13. Does Bugzilla allow data to be imported and exported? If I had outsiders write up a bug report using a MS Word bug template, could that template be imported into "matching" fields? If I wanted to take the results of a query and export that data to MS Excel, could I do @@ -3429,46 +3581,46 @@ Appendix A. The Bugzilla FAQ find an excellent example at http://www.mozilla.org/quality/help/bugzilla-helper.html - A.4.13. Does Bugzilla allow fields to be added, changed or deleted? If + A.4.14. Does Bugzilla allow fields to be added, changed or deleted? If I want to customize the bug submission form to meet our needs, can I do that using our terminology? Yes. - A.4.14. Has anyone converted Bugzilla to another language to be used + A.4.15. Has anyone converted Bugzilla to another language to be used in other countries? Is it localizable? Currently, no. Internationalization support for Perl did not exist in a robust fashion until the recent release of version 5.6.0; Bugzilla is, and likely will remain (until 3.X) completely non-localized. - A.4.15. Can a user create and save reports? Can they do this in Word + A.4.16. Can a user create and save reports? Can they do this in Word format? Excel format? Yes. No. No. - A.4.16. Can a user re-run a report with a new project, same query? + A.4.17. Can a user re-run a report with a new project, same query? Yes. - A.4.17. Can a user modify an existing report and then save it into + A.4.18. Can a user modify an existing report and then save it into another name? You can save an unlimited number of queries in Bugzilla. You are free to modify them and rename them to your heart's desire. - A.4.18. Does Bugzilla have the ability to search by word, phrase, + A.4.19. Does Bugzilla have the ability to search by word, phrase, compound search? You have no idea. Bugzilla's query interface, particularly with the advanced Boolean operators, is incredibly versatile. - A.4.19. Can the admin person establish separate group and individual + A.4.20. Can the admin person establish separate group and individual user privileges? Yes. - A.4.20. Does Bugzilla provide record locking when there is + A.4.21. Does Bugzilla provide record locking when there is simultaneous access to the same bug? Does the second person get a notice that the bug is in use or how are they notified? @@ -3476,19 +3628,19 @@ Appendix A. The Bugzilla FAQ detection, and offers the offending user a choice of options to deal with the conflict. - A.4.21. Are there any backup features provided? + A.4.22. Are there any backup features provided? MySQL, the database back-end for Bugzilla, allows hot-backup of data. You can find strategies for dealing with backup considerations at http://www.mysql.com/doc/B/a/Backup.html - A.4.22. Can users be on the system while a backup is in progress? + A.4.23. Can users be on the system while a backup is in progress? Yes. However, commits to the database must wait until the tables are unlocked. Bugzilla databases are typically very small, and backups routinely take less than a minute. - A.4.23. What type of human resources are needed to be on staff to + A.4.24. What type of human resources are needed to be on staff to install and maintain Bugzilla? Specifically, what type of skills does the person need to have? I need to find out if we were to go with Bugzilla, what types of individuals would we need to hire and how much @@ -3507,7 +3659,7 @@ Appendix A. The Bugzilla FAQ me three to five hours to make Bugzilla happy on a Development installation of Linux-Mandrake. - A.4.24. What time frame are we looking at if we decide to hire people + A.4.25. What time frame are we looking at if we decide to hire people to install and maintain the Bugzilla? Is this something that takes hours or weeks to install and a couple of hours per week to maintain and customize or is this a multi-week install process, plus a full @@ -3520,7 +3672,7 @@ Appendix A. The Bugzilla FAQ UNIX or Perl skills to handle your process management and bug-tracking maintenance & customization. - A.4.25. Is there any licensing fee or other fees for using Bugzilla? + A.4.26. Is there any licensing fee or other fees for using Bugzilla? Any out-of-pocket cost other than the bodies needed as identified above? diff --git a/docs/xml/Bugzilla-Guide.xml b/docs/xml/Bugzilla-Guide.xml index 9334472af..88daac2bb 100644 --- a/docs/xml/Bugzilla-Guide.xml +++ b/docs/xml/Bugzilla-Guide.xml @@ -59,7 +59,7 @@ http://www.linuxdoc.org/LDP/LDP-Author-Guide/tools-hints.html The Bugzilla Guide - v2.12.0, 24 April 2001 + 2001-04-25 Matthew P. diff --git a/docs/xml/administration.xml b/docs/xml/administration.xml index a35ba047d..8ca600c54 100644 --- a/docs/xml/administration.xml +++ b/docs/xml/administration.xml @@ -1049,14 +1049,38 @@ operating parameters for bugzilla. Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and - $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig file. + $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and + $BUGZILLA_HOME/globals.pl files. The localconfig file stores your "bugs" user password, which would be terrible to have in the hands - of a criminal. Also some files under $BUGZILLA_HOME/data/ store sensitive information, and + of a criminal, while the "globals.pl" stores some default information regarding your + installation which could aid a system cracker. + In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and $BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure these directories and this file, you will expose bug information to those who may not be allowed to see it. + + + Bugzilla provides default .htaccess files to protect the most common Apache + installations. However, you should verify these are adequate according to the site-wide + security policy of your web server, and ensure that the .htaccess files are + allowed to "override" default permissions set in your Apache configuration files. + Covering Apache security is beyond the scope of this Guide; please consult the Apache + documentation for details. + + + If you are using a web server that does not support the .htaccess control method, + you are at risk! After installing, check to see if you can + view the file "localconfig" in your web browser (ergo: + + http://bugzilla.mozilla.org/localconfig. If you can read the contents of this + file, your web server has not secured your bugzilla directory properly and you + must fix this problem before deploying Bugzilla. If, however, it gives you a + "Forbidden" error, then it probably respects the .htaccess conventions and you + are good to go. + + On Apache, you can use .htaccess files to protect access to these directories, as outlined in Bug 57161 for the diff --git a/docs/xml/faq.xml b/docs/xml/faq.xml index b7ca03201..2b67890a9 100644 --- a/docs/xml/faq.xml +++ b/docs/xml/faq.xml @@ -680,6 +680,54 @@ + + + + + The index.html page doesn't show the footer. It's really annoying to have + to go to the querypage just to check my "my bugs" link. How do I get a footer + on static HTML pages? + + + + + This was a late-breaking question for the Guide, so I just have to + quote the relevant newsgroup thread on it. + + +> AFAIK, most sites (even if they have SSI enabled) won't have #exec cmd +> enabled. Perhaps what would be better is a #include virtual and a +> footer.cgi the basically has the "require 'CGI.pl' and PutFooter command. +> +> Please note that under most configurations, this also requires naming +> the file from index.html to index.shtml (and making sure that it will +> still be reconized as an index). Personally, I think this is better on +> a per-installation basis (perhaps add something to the FAQ that says how +> to do this). + +Good point. Yeah, easy enough to do, that it shouldn't be a big deal for +someone to take it on if they want it. FAQ is a good place for it. + +> Dave Miller wrote: +> +>> I did a little experimenting with getting the command menu and footer on +>> the end of the index page while leaving it as an HTML file... +>> +>> I was successful. :) +>> +>> I added this line: +>> +>> +>> +>> Just before the </BODY> </HTML> at the end of the file. And it worked. +>> +>> Thought I'd toss that out there. Should I check this in? For those that +>> have SSI disabled, it'll act like a comment, so I wouldn't think it would +>> break anything. + + + diff --git a/docs/xml/installation.xml b/docs/xml/installation.xml index 03ff0bd8d..8165afd6d 100644 --- a/docs/xml/installation.xml +++ b/docs/xml/installation.xml @@ -479,7 +479,7 @@ - HINT: If you symlink the bugzilla directory into your Apache's + If you symlink the bugzilla directory into your Apache's HTML heirarchy, you may receive "Forbidden" errors unless you add the "FollowSymLinks" directive to the <Directory> entry for the HTML root. @@ -493,11 +493,25 @@ installation. - Lastly, you'll need to set up a symbolic link from /usr/bonsaitools/bin - to the correct location of your perl executable (probably /usr/bin/perl). + Lastly, you'll need to set up a symbolic link to /usr/bonsaitools/bin/perl + for the correct location of your perl executable (probably /usr/bin/perl). Otherwise you must hack all the .cgi files to change where they look for perl. To make future upgrades easier, you should use the symlink approach. + + Setting up bonsaitools symlink + + Here's how you set up the Perl symlink on Linux to make Bugzilla work. + Your mileage may vary; if you are running on Solaris, you probably need to subsitute + "/usr/local/bin/perl" for "/usr/bin/perl" below; if on certain other UNIX systems, + Perl may live in weird places like "/opt/perl". As root, run these commands: + +bash# mkdir /usr/bonsaitools +bash# mkdir /usr/bonsaitools/bin +bash# ln -s /usr/bin/perl /usr/bosaitools/bin/perl + + + If you don't have root access to set this symlink up, check out the @@ -663,11 +677,26 @@ Now regenerating the shadow database for all bugs. - The second time you run checksetup.pl, it is recommended you be the same - user as your web server runs under, and that you be sure you have set the + The second time you run checksetup.pl, you should become the + user your web server runs as, and that you ensure you have set the "webservergroup" parameter in localconfig to match the web server's group - name, if any. Under some systems, otherwise, checksetup.pl will goof up - your file permissions and make them unreadable to your web server. + name, if any. I believe, for the next release of Bugzilla, this will + be fixed so that Bugzilla supports a "webserveruser" parameter in localconfig + as well. + + Running checksetup.pl as the web user + + Assuming your web server runs as user "apache", and Bugzilla is installed in + "/usr/local/bugzilla", here's one way to run checksetup.pl as the web server user. + As root, for the second run of checksetup.pl, do this: + +bash# chown -R apache:apache /usr/local/bugzilla +bash# su - apache +bash# cd /usr/local/bugzilla +bash# ./checksetup.pl + + + @@ -680,7 +709,7 @@
    - Setting Up Maintainers Manuall (Optional) + Setting Up Maintainers Manually (Optional) If you want to add someone else to every group by hand, you can do it by typing the appropriate MySQL commands. Run ' @@ -1295,6 +1324,56 @@ open SENDMAIL, "|\"C:/General/Web/tools/Windmail 4.0 Beta/windmail\" -t > mail.l
    + + + This was some late breaking information from Jan Evert. Sorry for the lack of formatting. + + +I'm busy installing bugzilla on a WinNT machine and I thought I'd notify you +at this moment of the commments I have to section 2.2.1 of the bugzilla +guide (at http://www.trilobyte.net/barnsons/html/). + +Step 1: +I've used apache, installation is really straightforward. +After reading the Unix installation instructions, I found that it is +necessary to add the ExecCGI option to the bugzilla directory. Also the +'AddHandler' line for .cgi is by default commented out. + +Step 3: although just a detail, 'ppm install <module%gt;' will also work +(wihtout .ppd). And, it can also download these automatically from +ActiveState. + +Step 4: although I have cygwin installed, it seems that it is not necessary. +On my machine cygwin is not in the PATH and everything seems to work as +expected. +However, I've not used everything yet. + +Step 6: the 'bugs_password' given in SQL command d needs to be edited into +localconfig later on (Step 7) if the password is not empty. I've also edited +it into globals.pl, but I'm not sure that is needed. In both places, the +variable is named db_pass. + +Step 8: all the sendmail replacements mentioned are not as simple as +described there. Since I am not familiar (yet) with perl, I don't have any +mail working yet. + +Step 9: in globals.pl the encrypt() call can be replaced by just the +unencrypted password. In CGI.pl, the complete SQL command can be removed. + +Step 11: I've only changed the #! lines in *.cgi. I haven't noticed problems +with the system() call yet. +There seem to be only four system() called programs: processmail.pl (handled +by step 10), syncshadowdb (which should probably get the same treatment as +processmail.pl), diff and mysqldump. The last one is only needed with the +shadowdb feature (which I don't use). + +There seems to be one step missing: copying the bugzilla files somehwere +that apache can serve them. + +Just noticed the updated guide... Brian's comment is new. His first comment +will work, but opens up a huge security hole. + + -- cgit v1.2.3-24-g4f1b