From d8070af6b6a6ede39a318965f1c1303768e2a9db Mon Sep 17 00:00:00 2001 From: "jake%bugzilla.org" <> Date: Thu, 2 Dec 2004 12:21:27 +0000 Subject: Reinstate the seperate security section as a chapter. --- docs/xml/Bugzilla-Guide.xml | 7 +- docs/xml/glossary.xml | 35 +++- docs/xml/installation.xml | 284 ++---------------------------- docs/xml/security.xml | 411 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 464 insertions(+), 273 deletions(-) create mode 100644 docs/xml/security.xml (limited to 'docs') diff --git a/docs/xml/Bugzilla-Guide.xml b/docs/xml/Bugzilla-Guide.xml index 142b03d37..d12f6a817 100644 --- a/docs/xml/Bugzilla-Guide.xml +++ b/docs/xml/Bugzilla-Guide.xml @@ -9,6 +9,7 @@ + @@ -34,6 +35,7 @@ + @@ -142,6 +144,9 @@ &administration; + +&security; + &customization; @@ -188,4 +193,4 @@ sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter") sgml-shorttag:t sgml-tag-region-if-active:t End: ---> +--> \ No newline at end of file diff --git a/docs/xml/glossary.xml b/docs/xml/glossary.xml index 3893094c0..08ad45524 100644 --- a/docs/xml/glossary.xml +++ b/docs/xml/glossary.xml @@ -3,7 +3,7 @@ 0-9, high ascii - + .htaccess @@ -195,7 +195,7 @@ D - + daemon @@ -208,6 +208,23 @@ a web server, are generally run as daemons. + + + DOS Attack + + + A DOS, or Denial of Service attack, is when a user attempts to + deny access to a web server by repeatadly accessing a page or sending + malformed requests to a webserver. This can be effectively prevented + by using mod_throttle as described in + . A D-DOS, or + Distributed Denial of Service attack, is when these requests come + from multiple sources at the same time. Unfortunately, these are much + more difficult to defend against. + + + + @@ -393,6 +410,19 @@ S + + Service + + + In Windows NT environment, a boot-time background application + is refered to as a service. These are generally managed through the + control pannel while logged in as an account with + Administrator level capabilities. For more + information, consult your Windows manual or the MSKB. + + + + SGML @@ -520,4 +550,3 @@ sgml-shorttag:t sgml-tag-region-if-active:t End: --> - diff --git a/docs/xml/installation.xml b/docs/xml/installation.xml index 9c60535a1..0f06b4735 100644 --- a/docs/xml/installation.xml +++ b/docs/xml/installation.xml @@ -1,5 +1,5 @@ - + Installing Bugzilla @@ -520,7 +520,8 @@ Poorly-configured MySQL and Bugzilla installations have given attackers full access to systems in the past. Please take the security parts of these guidelines seriously, even for Bugzilla - machines hidden away behind your firewall. + machines hidden away behind your firewall. Be certain to read + for some important security tips.
@@ -560,70 +561,13 @@
MySQL -
- Security - - MySQL ships as insecure by default. - It allows anybody to on the local machine full administrative - capabilities without requiring a password; the special - MySQL root account (note: this is not the same as - the system root) also has no password. - Also, many installations default to running - mysqld as the system root. + + MySQL's default configuration is very insecure. + has some good information for + improving your installation's security. - - - - To disable the anonymous user account - and set a password for the root user, execute the following. The - root user password should be different to the bugs user password - you set in - localconfig in the previous section, - and also different to - the password for the system root account on your machine. - - bash$ mysql mysql - mysql> DELETE FROM user WHERE user = ''; - mysql> UPDATE user SET password = password('new_password') WHERE user = 'root'; - mysql> FLUSH PRIVILEGES; - - From this point forward, to run the - mysql command-line client, - you will need to type - mysql -u root -p and enter - new_password when prompted. - - - - - If you run MySQL on the same machine as your web server, you - should disable remote access to MySQL by adding - the following to your /etc/my.cnf: - - [myslqd] - # Prevent network access to MySQL. - skip-networking - - - - Consult the documentation that came with your system for - information on making mysqld run as an - unprivileged user. - - - - - For added security, you could also run MySQL, or even all - of Bugzilla - in a chroot jail; however, instructions for doing that are beyond - the scope of this document. - - - - - -
- + +
Allow large attachments @@ -765,7 +709,10 @@
Web server Configure your web server according to the instructions in the - appropriate section. The Bugzilla Team recommends Apache. + appropriate section. The Bugzilla Team recommends Apache. No matter + what webserver you choose, make sure that sensitive information is + not remotely available by ensuring that the access controls in + are properly applied.
@@ -825,7 +772,7 @@ Also, and this can't be stressed enough, make sure that files such as localconfig and your data - directory are secured as described in . + directory are secured as described in .
@@ -893,137 +840,6 @@
-
- Web Server Access Controls - - Users of Apache can skip this section because - Bugzilla ships with .htaccess files which - restrict access in the manner required. - Users of other webservers, read on. - - - There are several files in the Bugzilla directory - that should not be accessible from the web. You need to configure - your webserver so they they aren't. Not doing this may reveal - sensitive information such as database passwords. - - - - - In the main Bugzilla directory, you should: - - - Block: - - *.pl - *localconfig* - runtests.sh - - - - - But allow: - - localconfig.js - localconfig.rdf - - - - - - - - In data: - - - Block everything - - - But allow: - - duplicates.rdf - - - - - - - - In data/webdot: - - - If you use a remote webdot server: - - - Block everything - - - But allow - - *.dot - - only for the remote webdot server - - - - - Otherwise, if you use a local GraphViz: - - - Block everything - - - But allow: - - *.png - *.gif - *.jpg - *.map - - - - - - - And if you don't use any dot: - - - Block everything - - - - - - - - In Bugzilla: - - - Block everything - - - - - - In template: - - - Block everything - - - - - - You should test to make sure that the files mentioned above are - not accessible from the Internet, especially your - localconfig file which contains your database - password. To test, simply point your web browser at the file; for - example, to test mozilla.org's installation, we'd try to access - . You should - get a 403 Forbidden - error. - -
@@ -1310,75 +1126,6 @@
-
- - Prevent users injecting malicious - Javascript - - It is possible for a Bugzilla user to take advantage of character - set encoding ambiguities to inject HTML into Bugzilla comments. This - could include malicious scripts. - Due to internationalization concerns, we are unable to - incorporate by default the code changes suggested by - - the CERT advisory on this issue. - If your installation is for an English speaking audience only, making the - change below will prevent this problem. - - - Simply locate the following line in - Bugzilla/CGI.pm: - $self->charset(''); - and change it to: - $self->charset('ISO-8859-1'); - -
- -
- - <filename>mod_throttle</filename> - - It is possible for a user, by mistake or on purpose, to access - the database many times in a row which can result in very slow access - speeds for other users. If your Bugzilla installation is experiencing - this problem, you may install the Apache module - mod_throttle - which can limit connections by IP address. You may download this module - at - . - Follow the instructions to install into your Apache install. - This module only functions with the Apache web - server! - The command you need is - ThrottleClientIP. See the - documentation - for more information. -
- -
- TCP/IP Ports - - A single-box Bugzilla only requires port 80, plus port 25 if - you are using the optional email interface. You should firewall all - other ports and/or disable services listening on them. - -
- -
- Daemon Accounts - - Many daemons, such as Apache's httpd and MySQL's mysqld default to - running as either root or nobody. Running - as root introduces obvious security problems, but the - problems introduced by running everything as nobody may - not be so obvious. Basically, if you're running every daemon as - nobody and one of them gets compromised, they all get - compromised. For this reason it is recommended that you create a user - account for each daemon. - -
Serving Alternate Formats with the right MIME type @@ -1532,7 +1279,7 @@ $smtp->quit; As is the case on Unix based systems, any web server should be able to handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever asked. No matter what web server you choose, be sure - to pay attention to the security notes in . + to pay attention to the security notes in . More information on configuring specific web servers can be found in . @@ -2205,4 +1952,3 @@ sgml-shorttag:t sgml-tag-region-if-active:t End: --> - diff --git a/docs/xml/security.xml b/docs/xml/security.xml new file mode 100644 index 000000000..de859e6b5 --- /dev/null +++ b/docs/xml/security.xml @@ -0,0 +1,411 @@ + + + + +Bugzilla Security + + While some of the items in this chapter are related to the operating + system Bugzilla is running on or some of the support software required to + run Bugzilla, it is all related to protecting your data. This is not + intended to be a comprehensive guide to securing Linux, Apache, MySQL, or + any other piece of software mentioned. There is no substitute for active + administration and monitoring of a machine. The key to good security is + actually right in the middle of the word: U R It. + + + While programmers in general always strive to write secure code, + accidents can and do happen. The best approach to security is to always + assume that the program you are working with isn't 100% secure and restrict + its access to other parts of your machine as much as possible. + + +
+ Operating System + +
+ TCP/IP Ports + + + The TCP/IP standard defines more than 65,000 ports for sending + and receiving traffic. Of those, Bugzilla needs exactly one to operate + (different configurations and options may require up to 3). You should + audit your server and make sure that you aren't listening on any ports + you don't need to be. It's also highly recommended that the server + Bugzilla resides on, along with any other machines you administer, be + placed behind some kinda of firewall. + + +
+ +
+ System User Accounts + + Many daemon, such + as Apache's httpd or MySQL's + mysqld, run as either root or + nobody. This is even worse on Windows machines where the + majority of services + run as SYSTEM. While running as root or + SYSTEM introduces obvious security concerns, the + problems introduced by running everything as nobody may + not be so obvious. Basically, if you run every daemon as + nobody and one of them gets comprimised it can + comprimise every other daemon running as nobody on your + machine. For this reason it is recommended that you create a user + account for each daemon. + + + + You will need to set the option + in localconfig to the group your webserver runs + as. This will allow ./checksetup.pl to set file + permissions on Unix systems so that nothing is world-writable. + + + +
+ +
+ The <filename>chroot</filename> Jail + + If your system supports it, you may wish to consider running + Bugzilla inside of a chroot jail. This option + provides unpresidented security by restricting anything running + inside the jail from accessing any information outside of it. If you + wish to use this option, please consult the documentation that came + with your system. + + +
+ +
+ + + +
+ MySQL + +
+ The MySQL System Account + + As mentioned in , the MySQL + daemon should run as a non-privleged, unique user. Be sure to consult + the MySQL documentation or the documentation that came with your system + for instructions. + +
+ +
+ The MySQL <quote>root</quote> and <quote>anonymous</quote> Users + + By default, MySQL comes with a root user with a + blank password and an anonymous user, also with a blank + password. In order to protect your data, the root user + should be given a password and the anonymous user should be disabled. + + + + Assigning the MySQL <quote>root</quote> User a Password + + +bash$ mysql mysql +mysql> UPDATE user SET password = password('new_password') WHERE user = 'root'; +mysql> FLUSH PRIVILEGES; + + + + + Disabling the MySQL <quote>anonymous</quote> User + +bash$ mysql -u root -p mysql +Enter Password: new_password +mysql> DELETE FROM user WHERE user = ''; +mysql> FLUSH PRIVILEGES; + + + + This command assumes that you have already completed + . + + + + + +
+ +
+ Network Access + + If MySQL and your webserver both run on the same machine and you + have no other reason to access MySQL remotely, then you should disable + the network access. This, along with the suggestion in + , will help protect your system from + any remote vulnerabilites in MySQL. This is done using different + methods in MySQL versions 3 and 4. + + + + Disabling Networking in MySQL 3.x + + Simply enter the following in /etc/my.conf: + +[myslqd] +# Prevent network access to MySQL. +skip-networking + + + + + + Disabling Networking in MySQL 4.x + + There's a bug in Bugzilla about this + + +
+ + + + +
+ + + +
+ Webserver + +
+ Disabling Remote Access to Bugzilla Configuration Files + + There are many files that are placed in the Bugzilla directory + area that should not be accessable from the web. Because of the way + Bugzilla is currently layed out, the list of what should and should not + be accessible is rather complicated. A new installation method is + currently in the works which should solve this by allowing files that + shouldn't be accessible from the web to be placed in directory outside + the webroot. See + bug 44659 + for more information. + + + + Bugzilla ships with the ability to create + .htaccess + files that enforce these rules. Instructions for enabling these + directives in Apache can be found in + + + + + + In the main Bugzilla directory, you should: + + + Block: + + *.pl + *localconfig* + runtests.sh + + + + + But allow: + + localconfig.js + localconfig.rdf + + + + + + + + In data: + + + Block everything + + + But allow: + + duplicates.rdf + + + + + + + + In data/webdot: + + + If you use a remote webdot server: + + + Block everything + + + But allow + + *.dot + + only for the remote webdot server + + + + + Otherwise, if you use a local GraphViz: + + + Block everything + + + But allow: + + *.png + *.gif + *.jpg + *.map + + + + + + + And if you don't use any dot: + + + Block everything + + + + + + + + In Bugzilla: + + + Block everything + + + + + + In template: + + + Block everything + + + + + + Be sure to test that data that should not be accessed remotely is + properly blocked. Of particular intrest is the localconfig file which + contains your database password. Also, be aware that many editors + create temporary and backup files in the working directory and that + those should also not be accessable. For more information, see + bug 186383 + or + Bugtraq ID 6501. + To test, simply point your web browser at the file; for example, to + test mozilla.org's installation, we'd try to access + . You should get + a 403 Forbidden error. + + + + Be sure to check for instructions + specific to the webserver you use. + + + +
+ + +
+ Using <filename>mod_throttle</filename> to Prevent a DOS + + + This section only applies to people who have chosen the Apache + webserver. It may be possible to do similar things with other + webservers. Consult the documentation that came with your webserver + to find out. + + + + It is possible for a user, by mistake or on purpose, to access + the database many times in a row which can result in very slow access + speeds for other users (effectively, a + DOS attack). If your + Bugzilla installation is experiencing this problem, you may install + the Apache module mod_throttle which can limit + connections by IP address. You may download this module at + . + Follow the instructions to install into your Apache install. + The command you need is + ThrottleClientIP. See the + documentation + for more information. +
+ + +
+ + +
+ Bugzilla + +
+ Prevent users injecting malicious Javascript + + It is possible for a Bugzilla user to take advantage of character + set encoding ambiguities to inject HTML into Bugzilla comments. This + could include malicious scripts. + Due to internationalization concerns, we are unable to + incorporate by default the code changes suggested by + + the CERT advisory on this issue. + If your installation is for an English speaking audience only, making the + change below will prevent this problem. + + + Simply locate the following line in + Bugzilla/CGI.pm: + $self->charset(''); + and change it to: + $self->charset('ISO-8859-1'); + +
+ +
+ + + + -- cgit v1.2.3-24-g4f1b