<HTML
><HEAD
><TITLE
->The Bugzilla Guide</TITLE
+>The Bugzilla Guide - 2.16.3 Release</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
><A
NAME="AEN2"
></A
->The Bugzilla Guide</H1
+>The Bugzilla Guide - 2.16.3 Release</H1
><H3
CLASS="author"
><A
NAME="AEN9"
></A
>The Bugzilla Team</H3
+><P
+CLASS="pubdate"
+>2003-02-16<BR></P
><DIV
><DIV
CLASS="abstract"
><A
-NAME="AEN13"
+NAME="AEN14"
></A
><P
></P
></DT
><DT
>4-1. <A
-HREF="#AEN989"
+HREF="#AEN924"
>Installing ActivePerl ppd Modules on Microsoft
Windows</A
></DT
><DT
>4-2. <A
-HREF="#AEN1002"
+HREF="#AEN937"
>Installing OpenInteract ppd Modules manually on Microsoft
Windows</A
></DT
><DT
>4-3. <A
-HREF="#AEN1184"
+HREF="#AEN1119"
>Removing encrypt() for Windows NT Bugzilla version 2.12 or
earlier</A
></DT
></A
>1.1. Copyright Information</H1
><A
-NAME="AEN31"
+NAME="AEN32"
></A
><TABLE
BORDER="0"
><P
>Version 1.1, March 2000</P
><A
-NAME="AEN38"
+NAME="AEN39"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
of the License in the document and put the following copyright and
license notices just after the title page:</P
><A
-NAME="AEN128"
+NAME="AEN129"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
></A
>1.3. New Versions</H1
><P
-> This is the 2.16 version of The Bugzilla Guide. It is so named
+> This is the 2.16.3 version of The Bugzilla Guide. It is so named
to match the current version of Bugzilla. If you are
reading this from any source other than those below, please
check one of these mirrors to make sure you are reading an
><DIV
CLASS="informaltable"
><A
-NAME="AEN178"
+NAME="AEN179"
></A
><P
></P
><HR><H2
CLASS="section"
><A
-NAME="AEN434"
+NAME="AEN435"
></A
>3.2.1. Autolinkification</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN463"
+NAME="AEN464"
></A
>3.2.5. Filing Bugs</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN492"
+NAME="AEN493"
></A
>4.1.1. Introduction</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN496"
+NAME="AEN497"
></A
>4.1.2. Package List</H2
><DIV
><HR><H3
CLASS="section"
><A
-NAME="AEN642"
+NAME="AEN643"
></A
>4.1.5.1. DBI</H3
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN645"
+NAME="AEN646"
></A
>4.1.5.2. Data::Dumper</H3
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN648"
+NAME="AEN649"
></A
>4.1.5.3. MySQL-related modules</H3
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN653"
+NAME="AEN654"
></A
>4.1.5.4. TimeDate modules</H3
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN656"
+NAME="AEN657"
></A
>4.1.5.5. GD (optional)</H3
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN663"
+NAME="AEN664"
></A
>4.1.5.6. Chart::Base (optional)</H3
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN666"
+NAME="AEN667"
></A
>4.1.5.7. Template Toolkit</H3
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN669"
+NAME="AEN670"
></A
>4.1.6. HTTP Server</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN688"
+NAME="AEN689"
></A
>4.1.7. Bugzilla</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN705"
+NAME="AEN706"
></A
>4.1.8. Setting Up the MySQL Database</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN741"
+NAME="AEN742"
></A
>4.1.9. <TT
CLASS="filename"
><HR><H2
CLASS="section"
><A
-NAME="AEN773"
-></A
->4.1.10. Securing MySQL</H2
-><P
->If you followed the installation instructions for setting up your
- "bugs" and "root" user in MySQL, much of this should not apply to you.
- If you are upgrading an existing installation of Bugzilla, you should
- pay close attention to this section.</P
-><P
->Most MySQL installs have "interesting" default security
- parameters:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->mysqld defaults to running as root</TD
-></TR
-><TR
-><TD
->it defaults to allowing external network connections</TD
-></TR
-><TR
-><TD
->it has a known port number, and is easy to detect</TD
-></TR
-><TR
-><TD
->it defaults to no passwords whatsoever</TD
-></TR
-><TR
-><TD
->it defaults to allowing "File_Priv"</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->This means anyone from anywhere on the internet can not only drop
- the database with one SQL command, and they can write as root to the
- system.</P
-><P
->To see your permissions do:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->bash#</TT
->
-
- <B
-CLASS="command"
->mysql -u root -p</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->use mysql;</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->show tables;</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->select * from user;</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->select * from db;</B
->
- </TT
->
- </TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->To fix the gaping holes:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->DELETE FROM user WHERE User='';</TD
-></TR
-><TR
-><TD
->UPDATE user SET Password=PASSWORD('new_password') WHERE
- user='root';</TD
-></TR
-><TR
-><TD
->FLUSH PRIVILEGES;</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->If you're not running "mit-pthreads" you can use:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->GRANT USAGE ON *.* TO bugs@localhost;</TD
-></TR
-><TR
-><TD
->GRANT ALL ON bugs.* TO bugs@localhost;</TD
-></TR
-><TR
-><TD
->REVOKE DROP ON bugs.* FROM bugs@localhost;</TD
-></TR
-><TR
-><TD
->FLUSH PRIVILEGES;</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->With "mit-pthreads" you'll need to modify the "globals.pl"
- Mysql->Connect line to specify a specific host name instead of
- "localhost", and accept external connections:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->GRANT USAGE ON *.* TO bugs@bounce.hop.com;</TD
-></TR
-><TR
-><TD
->GRANT ALL ON bugs.* TO bugs@bounce.hop.com;</TD
-></TR
-><TR
-><TD
->REVOKE DROP ON bugs.* FROM bugs@bounce.hop.com;</TD
-></TR
-><TR
-><TD
->FLUSH PRIVILEGES;</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->Consider also:
- <P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->Turning off external networking with "--skip-networking",
- unless you have "mit-pthreads", in which case you can't. Without
- networking, MySQL connects with a Unix domain socket.</P
-></LI
-><LI
-><P
->using the --user= option to mysqld to run it as an
- unprivileged user.</P
-></LI
-><LI
-><P
->running MySQL in a chroot jail</P
-></LI
-><LI
-><P
->running the httpd in a chroot jail</P
-></LI
-><LI
-><P
->making sure the MySQL passwords are different from the OS
- passwords (MySQL "root" has nothing to do with system
- "root").</P
-></LI
-><LI
-><P
->running MySQL on a separate untrusted machine</P
-></LI
-><LI
-><P
->making backups ;-)</P
-></LI
-></OL
->
- </P
-></DIV
-><DIV
-CLASS="section"
-><HR><H2
-CLASS="section"
-><A
-NAME="AEN839"
+NAME="AEN774"
></A
->4.1.11. Configuring Bugzilla</H2
+>4.1.10. Configuring Bugzilla</H2
><P
> You should run through the parameters on the Edit Parameters page
(link in the footer) and set them all to appropriate values.
><H2
CLASS="section"
><A
-NAME="AEN845"
+NAME="AEN780"
></A
>4.2.1. Dependency Charts</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN860"
+NAME="AEN795"
></A
>4.2.2. Bug Graphs</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN873"
+NAME="AEN808"
></A
>4.2.3. The Whining Cron</H2
><P
><DIV
CLASS="example"
><A
-NAME="AEN989"
+NAME="AEN924"
></A
><P
><B
<DIV
CLASS="example"
><A
-NAME="AEN1002"
+NAME="AEN937"
></A
><P
><B
><P
>From Andrew Pearson:
<A
-NAME="AEN1172"
+NAME="AEN1107"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
>
for Bugzilla 2.13 and later, which includes the current release,
- Bugzilla &bz-ver;.
+ Bugzilla 2.16.3.
<DIV
CLASS="example"
><A
-NAME="AEN1184"
+NAME="AEN1119"
></A
><P
><B
><HR><H2
CLASS="section"
><A
-NAME="AEN1218"
+NAME="AEN1153"
></A
>4.5.1. Bundle::Bugzilla makes me upgrade to Perl 5.6.1</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN1223"
+NAME="AEN1158"
></A
>4.5.2. DBD::Sponge::db prepare failed</H2
><P
><P
>These instructions must, of necessity, be somewhat vague since
Bugzilla runs on so many different platforms. If you have refinements
- of these directions for specific platforms, please submit them to
- <A
-HREF="mailto://mozilla-webtools@mozilla.org"
+ of these directions, please submit a bug to <A
+HREF="http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&component=Documentation"
TARGET="_top"
-> mozilla-webtools@mozilla.org</A
->
+>Bugzilla</A
+>.
</P
></TD
></TR
></TABLE
></DIV
+><DIV
+CLASS="warning"
><P
->To secure your installation:
-
- <P
></P
-><OL
-TYPE="1"
-><LI
+><TABLE
+CLASS="warning"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="../images/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->Ensure you are running at least MysQL version 3.22.32 or newer.
- Earlier versions had notable security holes and (from a security
- point of view) poor default configuration choices.</P
-></LI
+>This is not meant to be a comprehensive list of every possible
+ security issue regarding the tools mentioned in this section. There is
+ no subsitute for reading the information written by the authors of any
+ software running on your system.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="section"
+><HR><H2
+CLASS="section"
+><A
+NAME="security-networking"
+></A
+>5.6.1. TCP/IP Ports</H2
+><P
+>TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla
+ only needs 1... 2 if you need to use features that require e-mail such
+ as bug moving or the e-mail interface from contrib. You should audit
+ your server and make sure that you aren't listening on any ports you
+ don't need to be. You may also wish to use some kind of firewall
+ software to be sure that trafic can only be recieved on ports you
+ specify.
+ </P
+></DIV
+><DIV
+CLASS="section"
+><HR><H2
+CLASS="section"
+><A
+NAME="security-mysql"
+></A
+>5.6.2. MySQL</H2
+><P
+>MySQL ships by default with many settings that should be changed.
+ By defaults it allows anybody to connect from localhost without a
+ password and have full administrative capabilities. It also defaults to
+ not have a root password (this is <EM
+>not</EM
+> the same as
+ the system root). Also, many installations default to running
+ <SPAN
+CLASS="application"
+>mysqld</SPAN
+> as the system root.
+ </P
+><P
+></P
+><OL
+TYPE="1"
><LI
><P
-> <EM
->There is no substitute for understanding the tools on your
- system!</EM
->
-
- Read
- <A
-HREF="http://www.mysql.com/doc/P/r/Privilege_system.html"
-TARGET="_top"
-> The MySQL Privilege System</A
->
- until you can recite it from memory!</P
+>Make sure you are running at least version 3.22.32 of MySQL
+ as earlier versions had notable security holes.
+ </P
></LI
><LI
><P
->Lock down /etc/inetd.conf. Heck, disable inet entirely on this
- box. It should only listen to port 25 for Sendmail and port 80 for
- Apache.</P
+>Consult the documentation that came with your system for
+ information on making <SPAN
+CLASS="application"
+>mysqld</SPAN
+> run as an
+ unprivleged user.
+ </P
></LI
><LI
><P
->Do not run Apache as
- <SPAN
+>You should also be sure to disable the anonymous user account
+ and set a password for the root user. This is accomplished using the
+ following commands:
+ </P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><FONT
+COLOR="#000000"
+><PRE
+CLASS="programlisting"
+> <TT
+CLASS="prompt"
+>bash$</TT
+> mysql mysql
+<TT
+CLASS="prompt"
+>mysql></TT
+> DELETE FROM user WHERE user = '';
+<TT
+CLASS="prompt"
+>mysql></TT
+> UPDATE user SET password = password('<TT
+CLASS="replaceable"
+><I
+>new_password</I
+></TT
+>') WHERE user = 'root';
+<TT
+CLASS="prompt"
+>mysql></TT
+> FLUSH PRIVILEGES;
+ </PRE
+></FONT
+></TD
+></TR
+></TABLE
+><P
+>From this point forward you will need to use
+ <B
+CLASS="command"
+>mysql -u root -p</B
+> and enter
+ <TT
+CLASS="replaceable"
+><I
+>new_password</I
+></TT
+> when prompted when using the
+ mysql client.
+ </P
+></LI
+><LI
+><P
+>If you run MySQL on the same machine as your httpd server, you
+ should consider disabling networking from within MySQL by adding
+ the following to your <TT
+CLASS="filename"
+>/etc/my.conf</TT
+>:
+ </P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><FONT
+COLOR="#000000"
+><PRE
+CLASS="programlisting"
+> [myslqd]
+# Prevent network access to MySQL.
+skip-networking
+ </PRE
+></FONT
+></TD
+></TR
+></TABLE
+></LI
+><LI
+><P
+>You may also consider running MySQL, or even all of Bugzilla
+ in a chroot jail; however, instructions for doing that are beyond
+ the scope of this document.
+ </P
+></LI
+></OL
+></DIV
+><DIV
+CLASS="section"
+><HR><H2
+CLASS="section"
+><A
+NAME="security-daemon"
+></A
+>5.6.3. Daemon Accounts</H2
+><P
+>Many daemons, such as Apache's httpd and MySQL's mysqld default to
+ running as either <SPAN
+CLASS="QUOTE"
+>"root"</SPAN
+> or <SPAN
CLASS="QUOTE"
>"nobody"</SPAN
->
-
- . This will require very lax permissions in your Bugzilla
- directories. Run it, instead, as a user with a name, set via your
- httpd.conf file.
- <DIV
+>. Running
+ as <SPAN
+CLASS="QUOTE"
+>"root"</SPAN
+> introduces obvious security problems, but the
+ problems introduced by running everything as <SPAN
+CLASS="QUOTE"
+>"nobody"</SPAN
+> may
+ not be so obvious. Basically, if you're running every daemon as
+ <SPAN
+CLASS="QUOTE"
+>"nobody"</SPAN
+> and one of them gets comprimised, they all get
+ comprimised. For this reason it is recommended that you create a user
+ account for each daemon.
+ </P
+><DIV
CLASS="note"
><P
></P
ALIGN="LEFT"
VALIGN="TOP"
><P
-> <SPAN
-CLASS="QUOTE"
->"nobody"</SPAN
->
-
- is a real user on UNIX systems. Having a process run as user id
- <SPAN
-CLASS="QUOTE"
->"nobody"</SPAN
->
-
- is absolutely no protection against system crackers versus using
- any other user account. As a general security measure, I recommend
- you create unique user ID's for each daemon running on your system
- and, if possible, use "chroot" to jail that process away from the
- rest of your system.</P
+>You will need to set the <TT
+CLASS="varname"
+>webservergroup</TT
+> to
+ the group you created for your webserver to run as in
+ <TT
+CLASS="filename"
+>localconfig</TT
+>. This will allow
+ <B
+CLASS="command"
+>./checksetup.pl</B
+> to better adjust the file
+ permissions on your Bugzilla install so as to not require making
+ anything world-writable.
+ </P
></TD
></TR
></TABLE
></DIV
+></DIV
+><DIV
+CLASS="section"
+><HR><H2
+CLASS="section"
+><A
+NAME="security-access"
+></A
+>5.6.4. Web Server Access Controls</H2
+><P
+>There are many files that are placed in the Bugzilla directory
+ area that should not be accessable from the web. Because of the way
+ Bugzilla is currently layed out, the list of what should and should
+ not be accessible is rather complicated. A new installation method
+ is currently in the works which should solve this by allowing files
+ that shouldn't be accessible from the web to be placed in directory
+ outside the webroot. See
+ <A
+HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=44659"
+TARGET="_top"
+>bug
+ 44659</A
+> for more information.
+ </P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>In the main Bugzilla directory, you should:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block:
+ <TT
+CLASS="filename"
+>*.pl</TT
+>, <TT
+CLASS="filename"
+>*localconfig*</TT
+>, <TT
+CLASS="filename"
+>runtests.sh</TT
+>, <TT
+CLASS="filename"
+>processmail</TT
+>, <TT
+CLASS="filename"
+>syncshadowdb</TT
>
- </P
+ </P
></LI
><LI
><P
->Ensure you have adequate access controls for the
- $BUGZILLA_HOME/data/ directory, as well as the
- $BUGZILLA_HOME/localconfig file.
- The localconfig file stores your "bugs" database account password.
- In addition, some
- files under $BUGZILLA_HOME/data/ store sensitive information.
- </P
+>But allow:
+ <TT
+CLASS="filename"
+>localconfig.js</TT
+>, <TT
+CLASS="filename"
+>localconfig.rdf</TT
+>
+ </P
+></LI
+></UL
+></LI
+><LI
><P
->Bugzilla provides default .htaccess files to protect the most
- common Apache installations. However, you should verify these are
- adequate according to the site-wide security policy of your web
- server, and ensure that the .htaccess files are allowed to
- "override" default permissions set in your Apache configuration
- files. Covering Apache security is beyond the scope of this Guide;
- please consult the Apache documentation for details.</P
+>In <TT
+CLASS="filename"
+>data</TT
+>:</P
><P
->If you are using a web server that does not support the
- .htaccess control method,
- <EM
->you are at risk!</EM
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+><LI
+><P
+>But allow:
+ <TT
+CLASS="filename"
+>duplicates.rdf</TT
>
-
- After installing, check to see if you can view the file
- "localconfig" in your web browser (e.g.:
- <A
-HREF="http://bugzilla.mozilla.org/localconfig"
-TARGET="_top"
-> http://bugzilla.mozilla.org/localconfig</A
+ </P
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>data/webdot</TT
+>:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>If you use a remote webdot server:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+><LI
+><P
+>But allow
+ <TT
+CLASS="filename"
+>*.dot</TT
>
-
- ). If you can read the contents of this file, your web server has
- not secured your bugzilla directory properly and you must fix this
- problem before deploying Bugzilla. If, however, it gives you a
- "Forbidden" error, then it probably respects the .htaccess
- conventions and you are good to go.</P
+ only for the remote webdot server</P
+></LI
+></UL
+></LI
+><LI
><P
->When you run checksetup.pl, the script will attempt to modify
- various permissions on files which Bugzilla uses. If you do not have
- a webservergroup set in the localconfig file, then Bugzilla will have
- to make certain files world readable and/or writable.
- <EM
->THIS IS INSECURE!</EM
+>Otherwise, if you use a local GraphViz:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+><LI
+><P
+>But allow:
+ <TT
+CLASS="filename"
+>*.png</TT
+>, <TT
+CLASS="filename"
+>*.gif</TT
+>, <TT
+CLASS="filename"
+>*.jpg</TT
+>, <TT
+CLASS="filename"
+>*.map</TT
>
-
- . This means that anyone who can get access to your system can do
- whatever they want to your Bugzilla installation.</P
+ </P
+></LI
+></UL
+></LI
+><LI
+><P
+>And if you don't use any dot:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+></UL
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>Bugzilla</TT
+>:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>template</TT
+>:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+></UL
+></LI
+></UL
><DIV
-CLASS="note"
+CLASS="tip"
><P
></P
><TABLE
-CLASS="note"
+CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
ALIGN="CENTER"
VALIGN="TOP"
><IMG
-SRC="../images/note.gif"
+SRC="../images/tip.gif"
HSPACE="5"
-ALT="Note"></TD
+ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->This also means that if your webserver runs all cgi scripts
- as the same user/group, anyone on the system who can run cgi
- scripts will be able to take control of your Bugzilla
- installation.</P
+>Bugzilla ships with the ability to generate
+ <TT
+CLASS="filename"
+>.htaccess</TT
+> files instructing Apache which files
+ should and should not be accessible.
+ </P
></TD
></TR
></TABLE
></DIV
><P
->On Apache, you can use .htaccess files to protect access to
- these directories, as outlined in
- <A
-HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161"
-TARGET="_top"
->Bug
- 57161</A
->
-
- for the localconfig file, and
- <A
-HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"
+>You should test to make sure that the files mentioned above are
+ not accessible from the Internet, especially your
+ <TT
+CLASS="filename"
+>localconfig</TT
+> file which contains your database
+ password. To test, simply point your web browser at the file; for
+ example, to test mozilla.org's installation, we'd try to access
+ <A
+HREF="http://bugzilla.mozilla.org/localconfig"
TARGET="_top"
->Bug
- 65572</A
+>http://bugzilla.mozilla.org/localconfig</A
+>. You should
+ get a <SPAN
+CLASS="errorcode"
+>403</SPAN
+> <SPAN
+CLASS="errorname"
+>Forbidden</SPAN
>
-
- for adequate protection in your data/ directory.</P
-><P
->Note the instructions which follow are Apache-specific. If you
- use IIS, Netscape, or other non-Apache web servers, please consult
- your system documentation for how to secure these files from being
- transmitted to curious users.</P
+ error.
+ </P
+><DIV
+CLASS="caution"
><P
->Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/data directory.
- <P
-CLASS="literallayout"
-><Files comments> allow from all </Files><br>
- deny from all</P
->
- </P
+></P
+><TABLE
+CLASS="caution"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="../images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/ directory.
- <P
-CLASS="literallayout"
-><Files localconfig> deny from all </Files><br>
- allow from all</P
->
+>Not following the instructions in this section, including
+ testing, may result in sensitive information being globally
+ accessible.
</P
-></LI
-></OL
->
- </P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
-NAME="AEN1539"
+NAME="AEN1581"
></A
>5.7.1. What to Edit</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN1558"
+NAME="AEN1600"
></A
>5.7.2. How To Edit Templates</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN1568"
+NAME="AEN1610"
></A
>5.7.3. Template Formats</H2
><P
><HR><H2
CLASS="section"
><A
-NAME="AEN1581"
+NAME="AEN1623"
></A
>5.7.4. Particular Templates</H2
><P
><DL
><DT
>A.1.1. <A
-HREF="#AEN1724"
+HREF="#AEN1766"
> Where can I find information about Bugzilla?</A
></DT
><DT
>A.1.2. <A
-HREF="#AEN1730"
+HREF="#AEN1772"
> What license is Bugzilla distributed under?
</A
></DT
><DT
>A.1.3. <A
-HREF="#AEN1736"
+HREF="#AEN1778"
> How do I get commercial support for Bugzilla?
</A
></DT
><DT
>A.1.4. <A
-HREF="#AEN1743"
+HREF="#AEN1785"
> What major companies or projects are currently using Bugzilla
for bug-tracking?
</A
></DT
><DT
>A.1.5. <A
-HREF="#AEN1768"
+HREF="#AEN1810"
> Who maintains Bugzilla?
</A
></DT
><DT
>A.1.6. <A
-HREF="#AEN1774"
+HREF="#AEN1816"
> How does Bugzilla stack up against other bug-tracking databases?
</A
></DT
><DT
>A.1.7. <A
-HREF="#AEN1780"
+HREF="#AEN1822"
> Why doesn't Bugzilla offer this or that feature or compatability
with this other tracking software?
</A
></DT
><DT
>A.1.8. <A
-HREF="#AEN1787"
+HREF="#AEN1829"
> Why MySQL? I'm interested in seeing Bugzilla run on
Oracle/Sybase/Msql/PostgreSQL/MSSQL.
</A
></DT
><DT
>A.1.9. <A
-HREF="#AEN1792"
+HREF="#AEN1834"
> Why do the scripts say "/usr/bonsaitools/bin/perl" instead of
"/usr/bin/perl" or something else?
</A
></DT
><DT
>A.1.10. <A
-HREF="#AEN1798"
+HREF="#AEN1840"
> Is there an easy way to change the Bugzilla cookie name?
</A
></DT
><DL
><DT
>A.2.1. <A
-HREF="#AEN1808"
+HREF="#AEN1850"
> Is Bugzilla web-based, or do you have to have specific software or
a specific operating system on your machine?
</A
></DT
><DT
>A.2.2. <A
-HREF="#AEN1813"
+HREF="#AEN1855"
> Can Bugzilla integrate with
Perforce (SCM software)?
</A
></DT
><DT
>A.2.3. <A
-HREF="#AEN1818"
+HREF="#AEN1860"
> Does Bugzilla allow the user to track multiple projects?
</A
></DT
><DT
>A.2.4. <A
-HREF="#AEN1823"
+HREF="#AEN1865"
> If I am on many projects, and search for all bugs assigned to me, will
Bugzilla list them for me and allow me to sort by project, severity etc?
</A
></DT
><DT
>A.2.5. <A
-HREF="#AEN1828"
+HREF="#AEN1870"
> Does Bugzilla allow attachments (text, screenshots, URLs etc)? If yes,
are there any that are NOT allowed?
</A
></DT
><DT
>A.2.6. <A
-HREF="#AEN1833"
+HREF="#AEN1875"
> Does Bugzilla allow us to define our own priorities and levels? Do we
have complete freedom to change the labels of fields and format of them, and
the choice of acceptable values?
></DT
><DT
>A.2.7. <A
-HREF="#AEN1840"
+HREF="#AEN1882"
> Does Bugzilla provide any reporting features, metrics, graphs, etc? You
know, the type of stuff that management likes to see. :)
</A
></DT
><DT
>A.2.8. <A
-HREF="#AEN1847"
+HREF="#AEN1889"
> Is there email notification and if so, what do you see when you get an
email?
</A
></DT
><DT
>A.2.9. <A
-HREF="#AEN1852"
+HREF="#AEN1894"
> Can email notification be set up to send to multiple
people, some on the To List, CC List, BCC List etc?
</A
></DT
><DT
>A.2.10. <A
-HREF="#AEN1857"
+HREF="#AEN1899"
> Do users have to have any particular
type of email application?
</A
></DT
><DT
>A.2.11. <A
-HREF="#AEN1864"
+HREF="#AEN1906"
> Does Bugzilla allow data to be imported and exported? If I had outsiders
write up a bug report using a MS Word bug template, could that template be
imported into "matching" fields? If I wanted to take the results of a query
></DT
><DT
>A.2.12. <A
-HREF="#AEN1872"
+HREF="#AEN1914"
> Has anyone converted Bugzilla to another language to be used in other
countries? Is it localizable?
</A
></DT
><DT
>A.2.13. <A
-HREF="#AEN1877"
+HREF="#AEN1919"
> Can a user create and save reports? Can they do this in Word format?
Excel format?
</A
></DT
><DT
>A.2.14. <A
-HREF="#AEN1882"
+HREF="#AEN1924"
> Does Bugzilla have the ability to search by word, phrase, compound
search?
</A
></DT
><DT
>A.2.15. <A
-HREF="#AEN1887"
+HREF="#AEN1929"
> Does Bugzilla provide record locking when there is simultaneous access
to the same bug? Does the second person get a notice that the bug is in use
or how are they notified?
></DT
><DT
>A.2.16. <A
-HREF="#AEN1892"
+HREF="#AEN1934"
> Are there any backup features provided?
</A
></DT
><DT
>A.2.17. <A
-HREF="#AEN1898"
+HREF="#AEN1940"
> Can users be on the system while a backup is in progress?
</A
></DT
><DT
>A.2.18. <A
-HREF="#AEN1903"
+HREF="#AEN1945"
> What type of human resources are needed to be on staff to install and
maintain Bugzilla? Specifically, what type of skills does the person need to
have? I need to find out if we were to go with Bugzilla, what types of
></DT
><DT
>A.2.19. <A
-HREF="#AEN1909"
+HREF="#AEN1951"
> What time frame are we looking at if we decide to hire people to install
and maintain the Bugzilla? Is this something that takes hours or weeks to
install and a couple of hours per week to maintain and customize or is this
></DT
><DT
>A.2.20. <A
-HREF="#AEN1914"
+HREF="#AEN1956"
> Is there any licensing fee or other fees for using Bugzilla? Any
out-of-pocket cost other than the bodies needed as identified above?
</A
><DL
><DT
>A.3.1. <A
-HREF="#AEN1921"
+HREF="#AEN1963"
> How do I completely disable MySQL security if it's giving me problems
(I've followed the instructions in the installation section of this guide)?
</A
></DT
><DT
>A.3.2. <A
-HREF="#AEN1927"
+HREF="#AEN1969"
> Are there any security problems with Bugzilla?
</A
></DT
><DT
>A.3.3. <A
-HREF="#AEN1932"
+HREF="#AEN1974"
> I've implemented the security fixes mentioned in Chris Yeh's security
advisory of 5/10/2000 advising not to run MySQL as root, and am running into
problems with MySQL no longer working correctly.
><DL
><DT
>A.4.1. <A
-HREF="#AEN1939"
+HREF="#AEN1981"
> I have a user who doesn't want to receive any more email from Bugzilla.
How do I stop it entirely for this user?
</A
></DT
><DT
>A.4.2. <A
-HREF="#AEN1944"
+HREF="#AEN1986"
> I'm evaluating/testing Bugzilla, and don't want it to send email to
anyone but me. How do I do it?
</A
></DT
><DT
>A.4.3. <A
-HREF="#AEN1949"
+HREF="#AEN1991"
> I want whineatnews.pl to whine at something more, or other than, only new
bugs. How do I do it?
</A
></DT
><DT
>A.4.4. <A
-HREF="#AEN1955"
+HREF="#AEN1997"
> I don't like/want to use Procmail to hand mail off to bug_email.pl.
What alternatives do I have?
</A
></DT
><DT
>A.4.5. <A
-HREF="#AEN1962"
+HREF="#AEN2004"
> How do I set up the email interface to submit/change bugs via email?
</A
></DT
><DT
>A.4.6. <A
-HREF="#AEN1967"
+HREF="#AEN2009"
> Email takes FOREVER to reach me from Bugzilla -- it's extremely slow.
What gives?
</A
></DT
><DT
>A.4.7. <A
-HREF="#AEN1974"
+HREF="#AEN2016"
> How come email from Bugzilla changes never reaches me?
</A
></DT
><DL
><DT
>A.5.1. <A
-HREF="#AEN1982"
+HREF="#AEN2024"
> I've heard Bugzilla can be used with Oracle?
</A
></DT
><DT
>A.5.2. <A
-HREF="#AEN1987"
+HREF="#AEN2029"
> I think my database might be corrupted, or contain invalid entries. What
do I do?
</A
></DT
><DT
>A.5.3. <A
-HREF="#AEN1995"
+HREF="#AEN2037"
> I want to manually edit some entries in my database. How?
</A
></DT
><DT
>A.5.4. <A
-HREF="#AEN2000"
+HREF="#AEN2042"
> I try to add myself as a user, but Bugzilla always tells me my password is wrong.
</A
></DT
><DT
>A.5.5. <A
-HREF="#AEN2005"
+HREF="#AEN2047"
> I think I've set up MySQL permissions correctly, but Bugzilla still can't
connect.
</A
></DT
><DT
>A.5.6. <A
-HREF="#AEN2010"
+HREF="#AEN2052"
> How do I synchronize bug information among multiple different Bugzilla
databases?
</A
><DL
><DT
>A.6.1. <A
-HREF="#AEN2019"
+HREF="#AEN2061"
> What is the easiest way to run Bugzilla on Win32 (Win98+/NT/2K)?
</A
></DT
><DT
>A.6.2. <A
-HREF="#AEN2024"
+HREF="#AEN2066"
> Is there a "Bundle::Bugzilla" equivalent for Win32?
</A
></DT
><DT
>A.6.3. <A
-HREF="#AEN2029"
+HREF="#AEN2071"
> CGI's are failing with a "something.cgi is not a valid Windows NT
application" error. Why?
</A
></DT
><DT
>A.6.4. <A
-HREF="#AEN2037"
+HREF="#AEN2079"
> I'm having trouble with the perl modules for NT not being able to talk to
to the database.
</A
><DL
><DT
>A.7.1. <A
-HREF="#AEN2058"
+HREF="#AEN2100"
> How do I change my user name (email address) in Bugzilla?
</A
></DT
><DT
>A.7.2. <A
-HREF="#AEN2063"
+HREF="#AEN2105"
> The query page is very confusing. Isn't there a simpler way to query?
</A
></DT
><DT
>A.7.3. <A
-HREF="#AEN2068"
+HREF="#AEN2110"
> I'm confused by the behavior of the "accept" button in the Show Bug form.
Why doesn't it assign the bug to me when I accept it?
</A
></DT
><DT
>A.7.4. <A
-HREF="#AEN2078"
+HREF="#AEN2120"
> I can't upload anything into the database via the "Create Attachment"
link. What am I doing wrong?
</A
></DT
><DT
>A.7.5. <A
-HREF="#AEN2083"
+HREF="#AEN2125"
> Email submissions to Bugzilla that have attachments end up asking me to
save it as a "cgi" file.
</A
></DT
><DT
>A.7.6. <A
-HREF="#AEN2088"
+HREF="#AEN2130"
> How do I change a keyword in Bugzilla, once some bugs are using it?
</A
></DT
><DL
><DT
>A.8.1. <A
-HREF="#AEN2095"
+HREF="#AEN2137"
> What bugs are in Bugzilla right now?
</A
></DT
><DT
>A.8.2. <A
-HREF="#AEN2104"
+HREF="#AEN2146"
> How can I change the default priority to a null value? For instance, have the default
priority be "---" instead of "P2"?
</A
></DT
><DT
>A.8.3. <A
-HREF="#AEN2110"
+HREF="#AEN2152"
> What's the best way to submit patches? What guidelines should I follow?
</A
></DT
CLASS="question"
><P
><A
-NAME="AEN1724"
+NAME="AEN1766"
></A
><B
>A.1.1. </B
CLASS="question"
><P
><A
-NAME="AEN1730"
+NAME="AEN1772"
></A
><B
>A.1.2. </B
CLASS="question"
><P
><A
-NAME="AEN1736"
+NAME="AEN1778"
></A
><B
>A.1.3. </B
CLASS="question"
><P
><A
-NAME="AEN1743"
+NAME="AEN1785"
></A
><B
>A.1.4. </B
CLASS="question"
><P
><A
-NAME="AEN1768"
+NAME="AEN1810"
></A
><B
>A.1.5. </B
CLASS="question"
><P
><A
-NAME="AEN1774"
+NAME="AEN1816"
></A
><B
>A.1.6. </B
CLASS="question"
><P
><A
-NAME="AEN1780"
+NAME="AEN1822"
></A
><B
>A.1.7. </B
CLASS="question"
><P
><A
-NAME="AEN1787"
+NAME="AEN1829"
></A
><B
>A.1.8. </B
CLASS="question"
><P
><A
-NAME="AEN1792"
+NAME="AEN1834"
></A
><B
>A.1.9. </B
CLASS="question"
><P
><A
-NAME="AEN1798"
+NAME="AEN1840"
></A
><B
>A.1.10. </B
CLASS="question"
><P
><A
-NAME="AEN1808"
+NAME="AEN1850"
></A
><B
>A.2.1. </B
CLASS="question"
><P
><A
-NAME="AEN1813"
+NAME="AEN1855"
></A
><B
>A.2.2. </B
CLASS="question"
><P
><A
-NAME="AEN1818"
+NAME="AEN1860"
></A
><B
>A.2.3. </B
CLASS="question"
><P
><A
-NAME="AEN1823"
+NAME="AEN1865"
></A
><B
>A.2.4. </B
CLASS="question"
><P
><A
-NAME="AEN1828"
+NAME="AEN1870"
></A
><B
>A.2.5. </B
CLASS="question"
><P
><A
-NAME="AEN1833"
+NAME="AEN1875"
></A
><B
>A.2.6. </B
CLASS="question"
><P
><A
-NAME="AEN1840"
+NAME="AEN1882"
></A
><B
>A.2.7. </B
CLASS="question"
><P
><A
-NAME="AEN1847"
+NAME="AEN1889"
></A
><B
>A.2.8. </B
CLASS="question"
><P
><A
-NAME="AEN1852"
+NAME="AEN1894"
></A
><B
>A.2.9. </B
CLASS="question"
><P
><A
-NAME="AEN1857"
+NAME="AEN1899"
></A
><B
>A.2.10. </B
CLASS="question"
><P
><A
-NAME="AEN1864"
+NAME="AEN1906"
></A
><B
>A.2.11. </B
CLASS="question"
><P
><A
-NAME="AEN1872"
+NAME="AEN1914"
></A
><B
>A.2.12. </B
CLASS="question"
><P
><A
-NAME="AEN1877"
+NAME="AEN1919"
></A
><B
>A.2.13. </B
CLASS="question"
><P
><A
-NAME="AEN1882"
+NAME="AEN1924"
></A
><B
>A.2.14. </B
CLASS="question"
><P
><A
-NAME="AEN1887"
+NAME="AEN1929"
></A
><B
>A.2.15. </B
CLASS="question"
><P
><A
-NAME="AEN1892"
+NAME="AEN1934"
></A
><B
>A.2.16. </B
CLASS="question"
><P
><A
-NAME="AEN1898"
+NAME="AEN1940"
></A
><B
>A.2.17. </B
CLASS="question"
><P
><A
-NAME="AEN1903"
+NAME="AEN1945"
></A
><B
>A.2.18. </B
CLASS="question"
><P
><A
-NAME="AEN1909"
+NAME="AEN1951"
></A
><B
>A.2.19. </B
CLASS="question"
><P
><A
-NAME="AEN1914"
+NAME="AEN1956"
></A
><B
>A.2.20. </B
CLASS="question"
><P
><A
-NAME="AEN1921"
+NAME="AEN1963"
></A
><B
>A.3.1. </B
CLASS="question"
><P
><A
-NAME="AEN1927"
+NAME="AEN1969"
></A
><B
>A.3.2. </B
CLASS="question"
><P
><A
-NAME="AEN1932"
+NAME="AEN1974"
></A
><B
>A.3.3. </B
CLASS="question"
><P
><A
-NAME="AEN1939"
+NAME="AEN1981"
></A
><B
>A.4.1. </B
CLASS="question"
><P
><A
-NAME="AEN1944"
+NAME="AEN1986"
></A
><B
>A.4.2. </B
CLASS="question"
><P
><A
-NAME="AEN1949"
+NAME="AEN1991"
></A
><B
>A.4.3. </B
CLASS="question"
><P
><A
-NAME="AEN1955"
+NAME="AEN1997"
></A
><B
>A.4.4. </B
You can call bug_email.pl directly from your aliases file, with
an entry like this:
<A
-NAME="AEN1959"
+NAME="AEN2001"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
CLASS="question"
><P
><A
-NAME="AEN1962"
+NAME="AEN2004"
></A
><B
>A.4.5. </B
CLASS="question"
><P
><A
-NAME="AEN1967"
+NAME="AEN2009"
></A
><B
>A.4.6. </B
CLASS="question"
><P
><A
-NAME="AEN1974"
+NAME="AEN2016"
></A
><B
>A.4.7. </B
CLASS="question"
><P
><A
-NAME="AEN1982"
+NAME="AEN2024"
></A
><B
>A.5.1. </B
CLASS="question"
><P
><A
-NAME="AEN1987"
+NAME="AEN2029"
></A
><B
>A.5.2. </B
CLASS="question"
><P
><A
-NAME="AEN1995"
+NAME="AEN2037"
></A
><B
>A.5.3. </B
CLASS="question"
><P
><A
-NAME="AEN2000"
+NAME="AEN2042"
></A
><B
>A.5.4. </B
CLASS="question"
><P
><A
-NAME="AEN2005"
+NAME="AEN2047"
></A
><B
>A.5.5. </B
CLASS="question"
><P
><A
-NAME="AEN2010"
+NAME="AEN2052"
></A
><B
>A.5.6. </B
CLASS="question"
><P
><A
-NAME="AEN2019"
+NAME="AEN2061"
></A
><B
>A.6.1. </B
CLASS="question"
><P
><A
-NAME="AEN2024"
+NAME="AEN2066"
></A
><B
>A.6.2. </B
CLASS="question"
><P
><A
-NAME="AEN2029"
+NAME="AEN2071"
></A
><B
>A.6.3. </B
><P
> Microsoft has some advice on this matter, as well:
<A
-NAME="AEN2034"
+NAME="AEN2076"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
CLASS="question"
><P
><A
-NAME="AEN2037"
+NAME="AEN2079"
></A
><B
>A.6.4. </B
CLASS="question"
><P
><A
-NAME="AEN2058"
+NAME="AEN2100"
></A
><B
>A.7.1. </B
CLASS="question"
><P
><A
-NAME="AEN2063"
+NAME="AEN2105"
></A
><B
>A.7.2. </B
CLASS="question"
><P
><A
-NAME="AEN2068"
+NAME="AEN2110"
></A
><B
>A.7.3. </B
CLASS="question"
><P
><A
-NAME="AEN2078"
+NAME="AEN2120"
></A
><B
>A.7.4. </B
CLASS="question"
><P
><A
-NAME="AEN2083"
+NAME="AEN2125"
></A
><B
>A.7.5. </B
CLASS="question"
><P
><A
-NAME="AEN2088"
+NAME="AEN2130"
></A
><B
>A.7.6. </B
CLASS="question"
><P
><A
-NAME="AEN2095"
+NAME="AEN2137"
></A
><B
>A.8.1. </B
CLASS="question"
><P
><A
-NAME="AEN2104"
+NAME="AEN2146"
></A
><B
>A.8.2. </B
CLASS="question"
><P
><A
-NAME="AEN2110"
+NAME="AEN2152"
></A
><B
>A.8.3. </B
><HR><H2
CLASS="section"
><A
-NAME="AEN2152"
+NAME="AEN2194"
></A
>B.2.1. Bugzilla Database Basics</H2
><P
><HR><H3
CLASS="section"
><A
-NAME="AEN2179"
+NAME="AEN2221"
></A
>B.2.1.1. Bugzilla Database Tables</H3
><P
><H1
CLASS="glossdiv"
><A
-NAME="AEN2258"
+NAME="AEN2300"
></A
>0-9, high ascii</H1
><DL
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="NEXT"
TITLE="Copyright Information"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->The Bugzilla Guide</TD
+>The Bugzilla Guide - 2.16.3 Release</TD
><TD
WIDTH="34%"
ALIGN="center"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Troubleshooting"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
HREF="security.html"
>Bugzilla Security</A
></DT
+><DD
+><DL
+><DT
+>5.6.1. <A
+HREF="security.html#security-networking"
+>TCP/IP Ports</A
+></DT
+><DT
+>5.6.2. <A
+HREF="security.html#security-mysql"
+>MySQL</A
+></DT
+><DT
+>5.6.3. <A
+HREF="security.html#security-daemon"
+>Daemon Accounts</A
+></DT
+><DT
+>5.6.4. <A
+HREF="security.html#security-access"
+>Web Server Access Controls</A
+></DT
+></DL
+></DD
><DT
>5.7. <A
HREF="cust-templates.html"
><DL
><DT
>5.7.1. <A
-HREF="cust-templates.html#AEN1539"
+HREF="cust-templates.html#AEN1581"
>What to Edit</A
></DT
><DT
>5.7.2. <A
-HREF="cust-templates.html#AEN1558"
+HREF="cust-templates.html#AEN1600"
>How To Edit Templates</A
></DT
><DT
>5.7.3. <A
-HREF="cust-templates.html#AEN1568"
+HREF="cust-templates.html#AEN1610"
>Template Formats</A
></DT
><DT
>5.7.4. <A
-HREF="cust-templates.html#AEN1581"
+HREF="cust-templates.html#AEN1623"
>Particular Templates</A
></DT
></DL
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Useful Patches and Utilities for Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="About This Guide"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><DIV
CLASS="informaltable"
><A
-NAME="AEN178"
+NAME="AEN179"
></A
><P
></P
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="About This Guide"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
></A
>1.1. Copyright Information</H1
><A
-NAME="AEN31"
+NAME="AEN32"
></A
><TABLE
BORDER="0"
><P
>Version 1.1, March 2000</P
><A
-NAME="AEN38"
+NAME="AEN39"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
of the License in the document and put the following copyright and
license notices just after the title page:</P
><A
-NAME="AEN128"
+NAME="AEN129"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="About This Guide"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H2
CLASS="section"
><A
-NAME="AEN1539"
+NAME="AEN1581"
></A
>5.7.1. What to Edit</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN1558"
+NAME="AEN1600"
></A
>5.7.2. How To Edit Templates</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN1568"
+NAME="AEN1610"
></A
>5.7.3. Template Formats</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN1581"
+NAME="AEN1623"
></A
>5.7.4. Particular Templates</H2
><P
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="The Bugzilla FAQ"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="The Bugzilla Database"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H2
CLASS="section"
><A
-NAME="AEN2152"
+NAME="AEN2194"
></A
>B.2.1. Bugzilla Database Basics</H2
><P
><H3
CLASS="section"
><A
-NAME="AEN2179"
+NAME="AEN2221"
></A
>B.2.1.1. Bugzilla Database Tables</H3
><P
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="The Bugzilla Database"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="About This Guide"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Installation"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H2
CLASS="section"
><A
-NAME="AEN845"
+NAME="AEN780"
></A
>4.2.1. Dependency Charts</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN860"
+NAME="AEN795"
></A
>4.2.2. Bug Graphs</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN873"
+NAME="AEN808"
></A
>4.2.3. The Whining Cron</H2
><P
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Integrating Bugzilla with Third-Party Tools"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><DL
><DT
>A.1.1. <A
-HREF="faq.html#AEN1724"
+HREF="faq.html#AEN1766"
> Where can I find information about Bugzilla?</A
></DT
><DT
>A.1.2. <A
-HREF="faq.html#AEN1730"
+HREF="faq.html#AEN1772"
> What license is Bugzilla distributed under?
</A
></DT
><DT
>A.1.3. <A
-HREF="faq.html#AEN1736"
+HREF="faq.html#AEN1778"
> How do I get commercial support for Bugzilla?
</A
></DT
><DT
>A.1.4. <A
-HREF="faq.html#AEN1743"
+HREF="faq.html#AEN1785"
> What major companies or projects are currently using Bugzilla
for bug-tracking?
</A
></DT
><DT
>A.1.5. <A
-HREF="faq.html#AEN1768"
+HREF="faq.html#AEN1810"
> Who maintains Bugzilla?
</A
></DT
><DT
>A.1.6. <A
-HREF="faq.html#AEN1774"
+HREF="faq.html#AEN1816"
> How does Bugzilla stack up against other bug-tracking databases?
</A
></DT
><DT
>A.1.7. <A
-HREF="faq.html#AEN1780"
+HREF="faq.html#AEN1822"
> Why doesn't Bugzilla offer this or that feature or compatability
with this other tracking software?
</A
></DT
><DT
>A.1.8. <A
-HREF="faq.html#AEN1787"
+HREF="faq.html#AEN1829"
> Why MySQL? I'm interested in seeing Bugzilla run on
Oracle/Sybase/Msql/PostgreSQL/MSSQL.
</A
></DT
><DT
>A.1.9. <A
-HREF="faq.html#AEN1792"
+HREF="faq.html#AEN1834"
> Why do the scripts say "/usr/bonsaitools/bin/perl" instead of
"/usr/bin/perl" or something else?
</A
></DT
><DT
>A.1.10. <A
-HREF="faq.html#AEN1798"
+HREF="faq.html#AEN1840"
> Is there an easy way to change the Bugzilla cookie name?
</A
></DT
><DL
><DT
>A.2.1. <A
-HREF="faq.html#AEN1808"
+HREF="faq.html#AEN1850"
> Is Bugzilla web-based, or do you have to have specific software or
a specific operating system on your machine?
</A
></DT
><DT
>A.2.2. <A
-HREF="faq.html#AEN1813"
+HREF="faq.html#AEN1855"
> Can Bugzilla integrate with
Perforce (SCM software)?
</A
></DT
><DT
>A.2.3. <A
-HREF="faq.html#AEN1818"
+HREF="faq.html#AEN1860"
> Does Bugzilla allow the user to track multiple projects?
</A
></DT
><DT
>A.2.4. <A
-HREF="faq.html#AEN1823"
+HREF="faq.html#AEN1865"
> If I am on many projects, and search for all bugs assigned to me, will
Bugzilla list them for me and allow me to sort by project, severity etc?
</A
></DT
><DT
>A.2.5. <A
-HREF="faq.html#AEN1828"
+HREF="faq.html#AEN1870"
> Does Bugzilla allow attachments (text, screenshots, URLs etc)? If yes,
are there any that are NOT allowed?
</A
></DT
><DT
>A.2.6. <A
-HREF="faq.html#AEN1833"
+HREF="faq.html#AEN1875"
> Does Bugzilla allow us to define our own priorities and levels? Do we
have complete freedom to change the labels of fields and format of them, and
the choice of acceptable values?
></DT
><DT
>A.2.7. <A
-HREF="faq.html#AEN1840"
+HREF="faq.html#AEN1882"
> Does Bugzilla provide any reporting features, metrics, graphs, etc? You
know, the type of stuff that management likes to see. :)
</A
></DT
><DT
>A.2.8. <A
-HREF="faq.html#AEN1847"
+HREF="faq.html#AEN1889"
> Is there email notification and if so, what do you see when you get an
email?
</A
></DT
><DT
>A.2.9. <A
-HREF="faq.html#AEN1852"
+HREF="faq.html#AEN1894"
> Can email notification be set up to send to multiple
people, some on the To List, CC List, BCC List etc?
</A
></DT
><DT
>A.2.10. <A
-HREF="faq.html#AEN1857"
+HREF="faq.html#AEN1899"
> Do users have to have any particular
type of email application?
</A
></DT
><DT
>A.2.11. <A
-HREF="faq.html#AEN1864"
+HREF="faq.html#AEN1906"
> Does Bugzilla allow data to be imported and exported? If I had outsiders
write up a bug report using a MS Word bug template, could that template be
imported into "matching" fields? If I wanted to take the results of a query
></DT
><DT
>A.2.12. <A
-HREF="faq.html#AEN1872"
+HREF="faq.html#AEN1914"
> Has anyone converted Bugzilla to another language to be used in other
countries? Is it localizable?
</A
></DT
><DT
>A.2.13. <A
-HREF="faq.html#AEN1877"
+HREF="faq.html#AEN1919"
> Can a user create and save reports? Can they do this in Word format?
Excel format?
</A
></DT
><DT
>A.2.14. <A
-HREF="faq.html#AEN1882"
+HREF="faq.html#AEN1924"
> Does Bugzilla have the ability to search by word, phrase, compound
search?
</A
></DT
><DT
>A.2.15. <A
-HREF="faq.html#AEN1887"
+HREF="faq.html#AEN1929"
> Does Bugzilla provide record locking when there is simultaneous access
to the same bug? Does the second person get a notice that the bug is in use
or how are they notified?
></DT
><DT
>A.2.16. <A
-HREF="faq.html#AEN1892"
+HREF="faq.html#AEN1934"
> Are there any backup features provided?
</A
></DT
><DT
>A.2.17. <A
-HREF="faq.html#AEN1898"
+HREF="faq.html#AEN1940"
> Can users be on the system while a backup is in progress?
</A
></DT
><DT
>A.2.18. <A
-HREF="faq.html#AEN1903"
+HREF="faq.html#AEN1945"
> What type of human resources are needed to be on staff to install and
maintain Bugzilla? Specifically, what type of skills does the person need to
have? I need to find out if we were to go with Bugzilla, what types of
></DT
><DT
>A.2.19. <A
-HREF="faq.html#AEN1909"
+HREF="faq.html#AEN1951"
> What time frame are we looking at if we decide to hire people to install
and maintain the Bugzilla? Is this something that takes hours or weeks to
install and a couple of hours per week to maintain and customize or is this
></DT
><DT
>A.2.20. <A
-HREF="faq.html#AEN1914"
+HREF="faq.html#AEN1956"
> Is there any licensing fee or other fees for using Bugzilla? Any
out-of-pocket cost other than the bodies needed as identified above?
</A
><DL
><DT
>A.3.1. <A
-HREF="faq.html#AEN1921"
+HREF="faq.html#AEN1963"
> How do I completely disable MySQL security if it's giving me problems
(I've followed the instructions in the installation section of this guide)?
</A
></DT
><DT
>A.3.2. <A
-HREF="faq.html#AEN1927"
+HREF="faq.html#AEN1969"
> Are there any security problems with Bugzilla?
</A
></DT
><DT
>A.3.3. <A
-HREF="faq.html#AEN1932"
+HREF="faq.html#AEN1974"
> I've implemented the security fixes mentioned in Chris Yeh's security
advisory of 5/10/2000 advising not to run MySQL as root, and am running into
problems with MySQL no longer working correctly.
><DL
><DT
>A.4.1. <A
-HREF="faq.html#AEN1939"
+HREF="faq.html#AEN1981"
> I have a user who doesn't want to receive any more email from Bugzilla.
How do I stop it entirely for this user?
</A
></DT
><DT
>A.4.2. <A
-HREF="faq.html#AEN1944"
+HREF="faq.html#AEN1986"
> I'm evaluating/testing Bugzilla, and don't want it to send email to
anyone but me. How do I do it?
</A
></DT
><DT
>A.4.3. <A
-HREF="faq.html#AEN1949"
+HREF="faq.html#AEN1991"
> I want whineatnews.pl to whine at something more, or other than, only new
bugs. How do I do it?
</A
></DT
><DT
>A.4.4. <A
-HREF="faq.html#AEN1955"
+HREF="faq.html#AEN1997"
> I don't like/want to use Procmail to hand mail off to bug_email.pl.
What alternatives do I have?
</A
></DT
><DT
>A.4.5. <A
-HREF="faq.html#AEN1962"
+HREF="faq.html#AEN2004"
> How do I set up the email interface to submit/change bugs via email?
</A
></DT
><DT
>A.4.6. <A
-HREF="faq.html#AEN1967"
+HREF="faq.html#AEN2009"
> Email takes FOREVER to reach me from Bugzilla -- it's extremely slow.
What gives?
</A
></DT
><DT
>A.4.7. <A
-HREF="faq.html#AEN1974"
+HREF="faq.html#AEN2016"
> How come email from Bugzilla changes never reaches me?
</A
></DT
><DL
><DT
>A.5.1. <A
-HREF="faq.html#AEN1982"
+HREF="faq.html#AEN2024"
> I've heard Bugzilla can be used with Oracle?
</A
></DT
><DT
>A.5.2. <A
-HREF="faq.html#AEN1987"
+HREF="faq.html#AEN2029"
> I think my database might be corrupted, or contain invalid entries. What
do I do?
</A
></DT
><DT
>A.5.3. <A
-HREF="faq.html#AEN1995"
+HREF="faq.html#AEN2037"
> I want to manually edit some entries in my database. How?
</A
></DT
><DT
>A.5.4. <A
-HREF="faq.html#AEN2000"
+HREF="faq.html#AEN2042"
> I try to add myself as a user, but Bugzilla always tells me my password is wrong.
</A
></DT
><DT
>A.5.5. <A
-HREF="faq.html#AEN2005"
+HREF="faq.html#AEN2047"
> I think I've set up MySQL permissions correctly, but Bugzilla still can't
connect.
</A
></DT
><DT
>A.5.6. <A
-HREF="faq.html#AEN2010"
+HREF="faq.html#AEN2052"
> How do I synchronize bug information among multiple different Bugzilla
databases?
</A
><DL
><DT
>A.6.1. <A
-HREF="faq.html#AEN2019"
+HREF="faq.html#AEN2061"
> What is the easiest way to run Bugzilla on Win32 (Win98+/NT/2K)?
</A
></DT
><DT
>A.6.2. <A
-HREF="faq.html#AEN2024"
+HREF="faq.html#AEN2066"
> Is there a "Bundle::Bugzilla" equivalent for Win32?
</A
></DT
><DT
>A.6.3. <A
-HREF="faq.html#AEN2029"
+HREF="faq.html#AEN2071"
> CGI's are failing with a "something.cgi is not a valid Windows NT
application" error. Why?
</A
></DT
><DT
>A.6.4. <A
-HREF="faq.html#AEN2037"
+HREF="faq.html#AEN2079"
> I'm having trouble with the perl modules for NT not being able to talk to
to the database.
</A
><DL
><DT
>A.7.1. <A
-HREF="faq.html#AEN2058"
+HREF="faq.html#AEN2100"
> How do I change my user name (email address) in Bugzilla?
</A
></DT
><DT
>A.7.2. <A
-HREF="faq.html#AEN2063"
+HREF="faq.html#AEN2105"
> The query page is very confusing. Isn't there a simpler way to query?
</A
></DT
><DT
>A.7.3. <A
-HREF="faq.html#AEN2068"
+HREF="faq.html#AEN2110"
> I'm confused by the behavior of the "accept" button in the Show Bug form.
Why doesn't it assign the bug to me when I accept it?
</A
></DT
><DT
>A.7.4. <A
-HREF="faq.html#AEN2078"
+HREF="faq.html#AEN2120"
> I can't upload anything into the database via the "Create Attachment"
link. What am I doing wrong?
</A
></DT
><DT
>A.7.5. <A
-HREF="faq.html#AEN2083"
+HREF="faq.html#AEN2125"
> Email submissions to Bugzilla that have attachments end up asking me to
save it as a "cgi" file.
</A
></DT
><DT
>A.7.6. <A
-HREF="faq.html#AEN2088"
+HREF="faq.html#AEN2130"
> How do I change a keyword in Bugzilla, once some bugs are using it?
</A
></DT
><DL
><DT
>A.8.1. <A
-HREF="faq.html#AEN2095"
+HREF="faq.html#AEN2137"
> What bugs are in Bugzilla right now?
</A
></DT
><DT
>A.8.2. <A
-HREF="faq.html#AEN2104"
+HREF="faq.html#AEN2146"
> How can I change the default priority to a null value? For instance, have the default
priority be "---" instead of "P2"?
</A
></DT
><DT
>A.8.3. <A
-HREF="faq.html#AEN2110"
+HREF="faq.html#AEN2152"
> What's the best way to submit patches? What guidelines should I follow?
</A
></DT
CLASS="question"
><P
><A
-NAME="AEN1724"
+NAME="AEN1766"
></A
><B
>A.1.1. </B
CLASS="question"
><P
><A
-NAME="AEN1730"
+NAME="AEN1772"
></A
><B
>A.1.2. </B
CLASS="question"
><P
><A
-NAME="AEN1736"
+NAME="AEN1778"
></A
><B
>A.1.3. </B
CLASS="question"
><P
><A
-NAME="AEN1743"
+NAME="AEN1785"
></A
><B
>A.1.4. </B
CLASS="question"
><P
><A
-NAME="AEN1768"
+NAME="AEN1810"
></A
><B
>A.1.5. </B
CLASS="question"
><P
><A
-NAME="AEN1774"
+NAME="AEN1816"
></A
><B
>A.1.6. </B
CLASS="question"
><P
><A
-NAME="AEN1780"
+NAME="AEN1822"
></A
><B
>A.1.7. </B
CLASS="question"
><P
><A
-NAME="AEN1787"
+NAME="AEN1829"
></A
><B
>A.1.8. </B
CLASS="question"
><P
><A
-NAME="AEN1792"
+NAME="AEN1834"
></A
><B
>A.1.9. </B
CLASS="question"
><P
><A
-NAME="AEN1798"
+NAME="AEN1840"
></A
><B
>A.1.10. </B
CLASS="question"
><P
><A
-NAME="AEN1808"
+NAME="AEN1850"
></A
><B
>A.2.1. </B
CLASS="question"
><P
><A
-NAME="AEN1813"
+NAME="AEN1855"
></A
><B
>A.2.2. </B
CLASS="question"
><P
><A
-NAME="AEN1818"
+NAME="AEN1860"
></A
><B
>A.2.3. </B
CLASS="question"
><P
><A
-NAME="AEN1823"
+NAME="AEN1865"
></A
><B
>A.2.4. </B
CLASS="question"
><P
><A
-NAME="AEN1828"
+NAME="AEN1870"
></A
><B
>A.2.5. </B
CLASS="question"
><P
><A
-NAME="AEN1833"
+NAME="AEN1875"
></A
><B
>A.2.6. </B
CLASS="question"
><P
><A
-NAME="AEN1840"
+NAME="AEN1882"
></A
><B
>A.2.7. </B
CLASS="question"
><P
><A
-NAME="AEN1847"
+NAME="AEN1889"
></A
><B
>A.2.8. </B
CLASS="question"
><P
><A
-NAME="AEN1852"
+NAME="AEN1894"
></A
><B
>A.2.9. </B
CLASS="question"
><P
><A
-NAME="AEN1857"
+NAME="AEN1899"
></A
><B
>A.2.10. </B
CLASS="question"
><P
><A
-NAME="AEN1864"
+NAME="AEN1906"
></A
><B
>A.2.11. </B
CLASS="question"
><P
><A
-NAME="AEN1872"
+NAME="AEN1914"
></A
><B
>A.2.12. </B
CLASS="question"
><P
><A
-NAME="AEN1877"
+NAME="AEN1919"
></A
><B
>A.2.13. </B
CLASS="question"
><P
><A
-NAME="AEN1882"
+NAME="AEN1924"
></A
><B
>A.2.14. </B
CLASS="question"
><P
><A
-NAME="AEN1887"
+NAME="AEN1929"
></A
><B
>A.2.15. </B
CLASS="question"
><P
><A
-NAME="AEN1892"
+NAME="AEN1934"
></A
><B
>A.2.16. </B
CLASS="question"
><P
><A
-NAME="AEN1898"
+NAME="AEN1940"
></A
><B
>A.2.17. </B
CLASS="question"
><P
><A
-NAME="AEN1903"
+NAME="AEN1945"
></A
><B
>A.2.18. </B
CLASS="question"
><P
><A
-NAME="AEN1909"
+NAME="AEN1951"
></A
><B
>A.2.19. </B
CLASS="question"
><P
><A
-NAME="AEN1914"
+NAME="AEN1956"
></A
><B
>A.2.20. </B
CLASS="question"
><P
><A
-NAME="AEN1921"
+NAME="AEN1963"
></A
><B
>A.3.1. </B
CLASS="question"
><P
><A
-NAME="AEN1927"
+NAME="AEN1969"
></A
><B
>A.3.2. </B
CLASS="question"
><P
><A
-NAME="AEN1932"
+NAME="AEN1974"
></A
><B
>A.3.3. </B
CLASS="question"
><P
><A
-NAME="AEN1939"
+NAME="AEN1981"
></A
><B
>A.4.1. </B
CLASS="question"
><P
><A
-NAME="AEN1944"
+NAME="AEN1986"
></A
><B
>A.4.2. </B
CLASS="question"
><P
><A
-NAME="AEN1949"
+NAME="AEN1991"
></A
><B
>A.4.3. </B
CLASS="question"
><P
><A
-NAME="AEN1955"
+NAME="AEN1997"
></A
><B
>A.4.4. </B
You can call bug_email.pl directly from your aliases file, with
an entry like this:
<A
-NAME="AEN1959"
+NAME="AEN2001"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
CLASS="question"
><P
><A
-NAME="AEN1962"
+NAME="AEN2004"
></A
><B
>A.4.5. </B
CLASS="question"
><P
><A
-NAME="AEN1967"
+NAME="AEN2009"
></A
><B
>A.4.6. </B
CLASS="question"
><P
><A
-NAME="AEN1974"
+NAME="AEN2016"
></A
><B
>A.4.7. </B
CLASS="question"
><P
><A
-NAME="AEN1982"
+NAME="AEN2024"
></A
><B
>A.5.1. </B
CLASS="question"
><P
><A
-NAME="AEN1987"
+NAME="AEN2029"
></A
><B
>A.5.2. </B
CLASS="question"
><P
><A
-NAME="AEN1995"
+NAME="AEN2037"
></A
><B
>A.5.3. </B
CLASS="question"
><P
><A
-NAME="AEN2000"
+NAME="AEN2042"
></A
><B
>A.5.4. </B
CLASS="question"
><P
><A
-NAME="AEN2005"
+NAME="AEN2047"
></A
><B
>A.5.5. </B
CLASS="question"
><P
><A
-NAME="AEN2010"
+NAME="AEN2052"
></A
><B
>A.5.6. </B
CLASS="question"
><P
><A
-NAME="AEN2019"
+NAME="AEN2061"
></A
><B
>A.6.1. </B
CLASS="question"
><P
><A
-NAME="AEN2024"
+NAME="AEN2066"
></A
><B
>A.6.2. </B
CLASS="question"
><P
><A
-NAME="AEN2029"
+NAME="AEN2071"
></A
><B
>A.6.3. </B
><P
> Microsoft has some advice on this matter, as well:
<A
-NAME="AEN2034"
+NAME="AEN2076"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
CLASS="question"
><P
><A
-NAME="AEN2037"
+NAME="AEN2079"
></A
><B
>A.6.4. </B
CLASS="question"
><P
><A
-NAME="AEN2058"
+NAME="AEN2100"
></A
><B
>A.7.1. </B
CLASS="question"
><P
><A
-NAME="AEN2063"
+NAME="AEN2105"
></A
><B
>A.7.2. </B
CLASS="question"
><P
><A
-NAME="AEN2068"
+NAME="AEN2110"
></A
><B
>A.7.3. </B
CLASS="question"
><P
><A
-NAME="AEN2078"
+NAME="AEN2120"
></A
><B
>A.7.4. </B
CLASS="question"
><P
><A
-NAME="AEN2083"
+NAME="AEN2125"
></A
><B
>A.7.5. </B
CLASS="question"
><P
><A
-NAME="AEN2088"
+NAME="AEN2130"
></A
><B
>A.7.6. </B
CLASS="question"
><P
><A
-NAME="AEN2095"
+NAME="AEN2137"
></A
><B
>A.8.1. </B
CLASS="question"
><P
><A
-NAME="AEN2104"
+NAME="AEN2146"
></A
><B
>A.8.2. </B
CLASS="question"
><P
><A
-NAME="AEN2110"
+NAME="AEN2152"
></A
><B
>A.8.3. </B
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="SourceForge"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H1
CLASS="glossdiv"
><A
-NAME="AEN2258"
+NAME="AEN2300"
></A
>0-9, high ascii</H1
><DL
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Using Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H2
CLASS="section"
><A
-NAME="AEN434"
+NAME="AEN435"
></A
>3.2.1. Autolinkification</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN463"
+NAME="AEN464"
></A
>3.2.5. Filing Bugs</H2
><P
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Using Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
<HTML
><HEAD
><TITLE
->The Bugzilla Guide</TITLE
+>The Bugzilla Guide - 2.16.3 Release</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
><A
NAME="AEN2"
></A
->The Bugzilla Guide</H1
+>The Bugzilla Guide - 2.16.3 Release</H1
><H3
CLASS="author"
><A
NAME="AEN9"
></A
>The Bugzilla Team</H3
+><P
+CLASS="pubdate"
+>2003-02-16<BR></P
><DIV
><DIV
CLASS="abstract"
><A
-NAME="AEN13"
+NAME="AEN14"
></A
><P
></P
></DT
><DT
>4-1. <A
-HREF="win32.html#AEN989"
+HREF="win32.html#AEN924"
>Installing ActivePerl ppd Modules on Microsoft
Windows</A
></DT
><DT
>4-2. <A
-HREF="win32.html#AEN1002"
+HREF="win32.html#AEN937"
>Installing OpenInteract ppd Modules manually on Microsoft
Windows</A
></DT
><DT
>4-3. <A
-HREF="win32.html#AEN1184"
+HREF="win32.html#AEN1119"
>Removing encrypt() for Windows NT Bugzilla version 2.12 or
earlier</A
></DT
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="User Preferences"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><DL
><DT
>4.1.1. <A
-HREF="stepbystep.html#AEN492"
+HREF="stepbystep.html#AEN493"
>Introduction</A
></DT
><DT
>4.1.2. <A
-HREF="stepbystep.html#AEN496"
+HREF="stepbystep.html#AEN497"
>Package List</A
></DT
><DT
></DT
><DT
>4.1.6. <A
-HREF="stepbystep.html#AEN669"
+HREF="stepbystep.html#AEN670"
>HTTP Server</A
></DT
><DT
>4.1.7. <A
-HREF="stepbystep.html#AEN688"
+HREF="stepbystep.html#AEN689"
>Bugzilla</A
></DT
><DT
>4.1.8. <A
-HREF="stepbystep.html#AEN705"
+HREF="stepbystep.html#AEN706"
>Setting Up the MySQL Database</A
></DT
><DT
>4.1.9. <A
-HREF="stepbystep.html#AEN741"
+HREF="stepbystep.html#AEN742"
><TT
CLASS="filename"
>checksetup.pl</TT
></DT
><DT
>4.1.10. <A
-HREF="stepbystep.html#AEN773"
->Securing MySQL</A
-></DT
-><DT
->4.1.11. <A
-HREF="stepbystep.html#AEN839"
+HREF="stepbystep.html#AEN774"
>Configuring Bugzilla</A
></DT
></DL
><DL
><DT
>4.2.1. <A
-HREF="extraconfig.html#AEN845"
+HREF="extraconfig.html#AEN780"
>Dependency Charts</A
></DT
><DT
>4.2.2. <A
-HREF="extraconfig.html#AEN860"
+HREF="extraconfig.html#AEN795"
>Bug Graphs</A
></DT
><DT
>4.2.3. <A
-HREF="extraconfig.html#AEN873"
+HREF="extraconfig.html#AEN808"
>The Whining Cron</A
></DT
><DT
><DL
><DT
>4.5.1. <A
-HREF="troubleshooting.html#AEN1218"
+HREF="troubleshooting.html#AEN1153"
>Bundle::Bugzilla makes me upgrade to Perl 5.6.1</A
></DT
><DT
>4.5.2. <A
-HREF="troubleshooting.html#AEN1223"
+HREF="troubleshooting.html#AEN1158"
>DBD::Sponge::db prepare failed</A
></DT
><DT
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Document Conventions"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="About This Guide"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
></A
>1.3. New Versions</H1
><P
-> This is the 2.16 version of The Bugzilla Guide. It is so named
+> This is the 2.16.3 version of The Bugzilla Guide. It is so named
to match the current version of Bugzilla. If you are
reading this from any source other than those below, please
check one of these mirrors to make sure you are reading an
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Installation"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="MySQL Bugzilla Database Introduction"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Useful Patches and Utilities for Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Variants and Competitors"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><P
>These instructions must, of necessity, be somewhat vague since
Bugzilla runs on so many different platforms. If you have refinements
- of these directions for specific platforms, please submit them to
- <A
-HREF="mailto://mozilla-webtools@mozilla.org"
+ of these directions, please submit a bug to <A
+HREF="http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&component=Documentation"
TARGET="_top"
-> mozilla-webtools@mozilla.org</A
->
+>Bugzilla</A
+>.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="warning"
+><P
+></P
+><TABLE
+CLASS="warning"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="../images/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>This is not meant to be a comprehensive list of every possible
+ security issue regarding the tools mentioned in this section. There is
+ no subsitute for reading the information written by the authors of any
+ software running on your system.
</P
></TD
></TR
></TABLE
></DIV
+><DIV
+CLASS="section"
+><H2
+CLASS="section"
+><A
+NAME="security-networking"
+></A
+>5.6.1. TCP/IP Ports</H2
+><P
+>TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla
+ only needs 1... 2 if you need to use features that require e-mail such
+ as bug moving or the e-mail interface from contrib. You should audit
+ your server and make sure that you aren't listening on any ports you
+ don't need to be. You may also wish to use some kind of firewall
+ software to be sure that trafic can only be recieved on ports you
+ specify.
+ </P
+></DIV
+><DIV
+CLASS="section"
+><H2
+CLASS="section"
+><A
+NAME="security-mysql"
+></A
+>5.6.2. MySQL</H2
+><P
+>MySQL ships by default with many settings that should be changed.
+ By defaults it allows anybody to connect from localhost without a
+ password and have full administrative capabilities. It also defaults to
+ not have a root password (this is <EM
+>not</EM
+> the same as
+ the system root). Also, many installations default to running
+ <SPAN
+CLASS="application"
+>mysqld</SPAN
+> as the system root.
+ </P
><P
->To secure your installation:
-
- <P
></P
><OL
TYPE="1"
><LI
><P
->Ensure you are running at least MysQL version 3.22.32 or newer.
- Earlier versions had notable security holes and (from a security
- point of view) poor default configuration choices.</P
+>Make sure you are running at least version 3.22.32 of MySQL
+ as earlier versions had notable security holes.
+ </P
></LI
><LI
><P
-> <EM
->There is no substitute for understanding the tools on your
- system!</EM
->
-
- Read
- <A
-HREF="http://www.mysql.com/doc/P/r/Privilege_system.html"
-TARGET="_top"
-> The MySQL Privilege System</A
->
- until you can recite it from memory!</P
+>Consult the documentation that came with your system for
+ information on making <SPAN
+CLASS="application"
+>mysqld</SPAN
+> run as an
+ unprivleged user.
+ </P
></LI
><LI
><P
->Lock down /etc/inetd.conf. Heck, disable inet entirely on this
- box. It should only listen to port 25 for Sendmail and port 80 for
- Apache.</P
+>You should also be sure to disable the anonymous user account
+ and set a password for the root user. This is accomplished using the
+ following commands:
+ </P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><FONT
+COLOR="#000000"
+><PRE
+CLASS="programlisting"
+> <TT
+CLASS="prompt"
+>bash$</TT
+> mysql mysql
+<TT
+CLASS="prompt"
+>mysql></TT
+> DELETE FROM user WHERE user = '';
+<TT
+CLASS="prompt"
+>mysql></TT
+> UPDATE user SET password = password('<TT
+CLASS="replaceable"
+><I
+>new_password</I
+></TT
+>') WHERE user = 'root';
+<TT
+CLASS="prompt"
+>mysql></TT
+> FLUSH PRIVILEGES;
+ </PRE
+></FONT
+></TD
+></TR
+></TABLE
+><P
+>From this point forward you will need to use
+ <B
+CLASS="command"
+>mysql -u root -p</B
+> and enter
+ <TT
+CLASS="replaceable"
+><I
+>new_password</I
+></TT
+> when prompted when using the
+ mysql client.
+ </P
+></LI
+><LI
+><P
+>If you run MySQL on the same machine as your httpd server, you
+ should consider disabling networking from within MySQL by adding
+ the following to your <TT
+CLASS="filename"
+>/etc/my.conf</TT
+>:
+ </P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><FONT
+COLOR="#000000"
+><PRE
+CLASS="programlisting"
+> [myslqd]
+# Prevent network access to MySQL.
+skip-networking
+ </PRE
+></FONT
+></TD
+></TR
+></TABLE
></LI
><LI
><P
->Do not run Apache as
- <SPAN
+>You may also consider running MySQL, or even all of Bugzilla
+ in a chroot jail; however, instructions for doing that are beyond
+ the scope of this document.
+ </P
+></LI
+></OL
+></DIV
+><DIV
+CLASS="section"
+><H2
+CLASS="section"
+><A
+NAME="security-daemon"
+></A
+>5.6.3. Daemon Accounts</H2
+><P
+>Many daemons, such as Apache's httpd and MySQL's mysqld default to
+ running as either <SPAN
+CLASS="QUOTE"
+>"root"</SPAN
+> or <SPAN
CLASS="QUOTE"
>"nobody"</SPAN
->
-
- . This will require very lax permissions in your Bugzilla
- directories. Run it, instead, as a user with a name, set via your
- httpd.conf file.
- <DIV
+>. Running
+ as <SPAN
+CLASS="QUOTE"
+>"root"</SPAN
+> introduces obvious security problems, but the
+ problems introduced by running everything as <SPAN
+CLASS="QUOTE"
+>"nobody"</SPAN
+> may
+ not be so obvious. Basically, if you're running every daemon as
+ <SPAN
+CLASS="QUOTE"
+>"nobody"</SPAN
+> and one of them gets comprimised, they all get
+ comprimised. For this reason it is recommended that you create a user
+ account for each daemon.
+ </P
+><DIV
CLASS="note"
><P
></P
ALIGN="LEFT"
VALIGN="TOP"
><P
-> <SPAN
-CLASS="QUOTE"
->"nobody"</SPAN
->
-
- is a real user on UNIX systems. Having a process run as user id
- <SPAN
-CLASS="QUOTE"
->"nobody"</SPAN
->
-
- is absolutely no protection against system crackers versus using
- any other user account. As a general security measure, I recommend
- you create unique user ID's for each daemon running on your system
- and, if possible, use "chroot" to jail that process away from the
- rest of your system.</P
+>You will need to set the <TT
+CLASS="varname"
+>webservergroup</TT
+> to
+ the group you created for your webserver to run as in
+ <TT
+CLASS="filename"
+>localconfig</TT
+>. This will allow
+ <B
+CLASS="command"
+>./checksetup.pl</B
+> to better adjust the file
+ permissions on your Bugzilla install so as to not require making
+ anything world-writable.
+ </P
></TD
></TR
></TABLE
></DIV
+></DIV
+><DIV
+CLASS="section"
+><H2
+CLASS="section"
+><A
+NAME="security-access"
+></A
+>5.6.4. Web Server Access Controls</H2
+><P
+>There are many files that are placed in the Bugzilla directory
+ area that should not be accessable from the web. Because of the way
+ Bugzilla is currently layed out, the list of what should and should
+ not be accessible is rather complicated. A new installation method
+ is currently in the works which should solve this by allowing files
+ that shouldn't be accessible from the web to be placed in directory
+ outside the webroot. See
+ <A
+HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=44659"
+TARGET="_top"
+>bug
+ 44659</A
+> for more information.
+ </P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>In the main Bugzilla directory, you should:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block:
+ <TT
+CLASS="filename"
+>*.pl</TT
+>, <TT
+CLASS="filename"
+>*localconfig*</TT
+>, <TT
+CLASS="filename"
+>runtests.sh</TT
+>, <TT
+CLASS="filename"
+>processmail</TT
+>, <TT
+CLASS="filename"
+>syncshadowdb</TT
>
- </P
+ </P
></LI
><LI
><P
->Ensure you have adequate access controls for the
- $BUGZILLA_HOME/data/ directory, as well as the
- $BUGZILLA_HOME/localconfig file.
- The localconfig file stores your "bugs" database account password.
- In addition, some
- files under $BUGZILLA_HOME/data/ store sensitive information.
- </P
+>But allow:
+ <TT
+CLASS="filename"
+>localconfig.js</TT
+>, <TT
+CLASS="filename"
+>localconfig.rdf</TT
+>
+ </P
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>data</TT
+>:</P
><P
->Bugzilla provides default .htaccess files to protect the most
- common Apache installations. However, you should verify these are
- adequate according to the site-wide security policy of your web
- server, and ensure that the .htaccess files are allowed to
- "override" default permissions set in your Apache configuration
- files. Covering Apache security is beyond the scope of this Guide;
- please consult the Apache documentation for details.</P
-><P
->If you are using a web server that does not support the
- .htaccess control method,
- <EM
->you are at risk!</EM
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+><LI
+><P
+>But allow:
+ <TT
+CLASS="filename"
+>duplicates.rdf</TT
>
-
- After installing, check to see if you can view the file
- "localconfig" in your web browser (e.g.:
- <A
-HREF="http://bugzilla.mozilla.org/localconfig"
-TARGET="_top"
-> http://bugzilla.mozilla.org/localconfig</A
+ </P
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>data/webdot</TT
+>:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>If you use a remote webdot server:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+><LI
+><P
+>But allow
+ <TT
+CLASS="filename"
+>*.dot</TT
>
-
- ). If you can read the contents of this file, your web server has
- not secured your bugzilla directory properly and you must fix this
- problem before deploying Bugzilla. If, however, it gives you a
- "Forbidden" error, then it probably respects the .htaccess
- conventions and you are good to go.</P
-><P
->When you run checksetup.pl, the script will attempt to modify
- various permissions on files which Bugzilla uses. If you do not have
- a webservergroup set in the localconfig file, then Bugzilla will have
- to make certain files world readable and/or writable.
- <EM
->THIS IS INSECURE!</EM
+ only for the remote webdot server</P
+></LI
+></UL
+></LI
+><LI
+><P
+>Otherwise, if you use a local GraphViz:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+><LI
+><P
+>But allow:
+ <TT
+CLASS="filename"
+>*.png</TT
+>, <TT
+CLASS="filename"
+>*.gif</TT
+>, <TT
+CLASS="filename"
+>*.jpg</TT
+>, <TT
+CLASS="filename"
+>*.map</TT
>
-
- . This means that anyone who can get access to your system can do
- whatever they want to your Bugzilla installation.</P
+ </P
+></LI
+></UL
+></LI
+><LI
+><P
+>And if you don't use any dot:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+></UL
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>Bugzilla</TT
+>:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+></UL
+></LI
+><LI
+><P
+>In <TT
+CLASS="filename"
+>template</TT
+>:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Block everything</P
+></LI
+></UL
+></LI
+></UL
><DIV
-CLASS="note"
+CLASS="tip"
><P
></P
><TABLE
-CLASS="note"
+CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
ALIGN="CENTER"
VALIGN="TOP"
><IMG
-SRC="../images/note.gif"
+SRC="../images/tip.gif"
HSPACE="5"
-ALT="Note"></TD
+ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->This also means that if your webserver runs all cgi scripts
- as the same user/group, anyone on the system who can run cgi
- scripts will be able to take control of your Bugzilla
- installation.</P
+>Bugzilla ships with the ability to generate
+ <TT
+CLASS="filename"
+>.htaccess</TT
+> files instructing Apache which files
+ should and should not be accessible.
+ </P
></TD
></TR
></TABLE
></DIV
><P
->On Apache, you can use .htaccess files to protect access to
- these directories, as outlined in
- <A
-HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161"
-TARGET="_top"
->Bug
- 57161</A
->
-
- for the localconfig file, and
- <A
-HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"
+>You should test to make sure that the files mentioned above are
+ not accessible from the Internet, especially your
+ <TT
+CLASS="filename"
+>localconfig</TT
+> file which contains your database
+ password. To test, simply point your web browser at the file; for
+ example, to test mozilla.org's installation, we'd try to access
+ <A
+HREF="http://bugzilla.mozilla.org/localconfig"
TARGET="_top"
->Bug
- 65572</A
->
-
- for adequate protection in your data/ directory.</P
-><P
->Note the instructions which follow are Apache-specific. If you
- use IIS, Netscape, or other non-Apache web servers, please consult
- your system documentation for how to secure these files from being
- transmitted to curious users.</P
-><P
->Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/data directory.
- <P
-CLASS="literallayout"
-><Files comments> allow from all </Files><br>
- deny from all</P
+>http://bugzilla.mozilla.org/localconfig</A
+>. You should
+ get a <SPAN
+CLASS="errorcode"
+>403</SPAN
+> <SPAN
+CLASS="errorname"
+>Forbidden</SPAN
>
- </P
+ error.
+ </P
+><DIV
+CLASS="caution"
><P
->Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/ directory.
- <P
-CLASS="literallayout"
-><Files localconfig> deny from all </Files><br>
- allow from all</P
->
+></P
+><TABLE
+CLASS="caution"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="../images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Not following the instructions in this section, including
+ testing, may result in sensitive information being globally
+ accessible.
</P
-></LI
-></OL
->
- </P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Installation"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H2
CLASS="section"
><A
-NAME="AEN492"
+NAME="AEN493"
></A
>4.1.1. Introduction</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN496"
+NAME="AEN497"
></A
>4.1.2. Package List</H2
><DIV
><H3
CLASS="section"
><A
-NAME="AEN642"
+NAME="AEN643"
></A
>4.1.5.1. DBI</H3
><P
><H3
CLASS="section"
><A
-NAME="AEN645"
+NAME="AEN646"
></A
>4.1.5.2. Data::Dumper</H3
><P
><H3
CLASS="section"
><A
-NAME="AEN648"
+NAME="AEN649"
></A
>4.1.5.3. MySQL-related modules</H3
><P
><H3
CLASS="section"
><A
-NAME="AEN653"
+NAME="AEN654"
></A
>4.1.5.4. TimeDate modules</H3
><P
><H3
CLASS="section"
><A
-NAME="AEN656"
+NAME="AEN657"
></A
>4.1.5.5. GD (optional)</H3
><P
><H3
CLASS="section"
><A
-NAME="AEN663"
+NAME="AEN664"
></A
>4.1.5.6. Chart::Base (optional)</H3
><P
><H3
CLASS="section"
><A
-NAME="AEN666"
+NAME="AEN667"
></A
>4.1.5.7. Template Toolkit</H3
><P
><H2
CLASS="section"
><A
-NAME="AEN669"
+NAME="AEN670"
></A
>4.1.6. HTTP Server</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN688"
+NAME="AEN689"
></A
>4.1.7. Bugzilla</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN705"
+NAME="AEN706"
></A
>4.1.8. Setting Up the MySQL Database</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN741"
+NAME="AEN742"
></A
>4.1.9. <TT
CLASS="filename"
><H2
CLASS="section"
><A
-NAME="AEN773"
+NAME="AEN774"
></A
->4.1.10. Securing MySQL</H2
-><P
->If you followed the installation instructions for setting up your
- "bugs" and "root" user in MySQL, much of this should not apply to you.
- If you are upgrading an existing installation of Bugzilla, you should
- pay close attention to this section.</P
-><P
->Most MySQL installs have "interesting" default security
- parameters:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->mysqld defaults to running as root</TD
-></TR
-><TR
-><TD
->it defaults to allowing external network connections</TD
-></TR
-><TR
-><TD
->it has a known port number, and is easy to detect</TD
-></TR
-><TR
-><TD
->it defaults to no passwords whatsoever</TD
-></TR
-><TR
-><TD
->it defaults to allowing "File_Priv"</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->This means anyone from anywhere on the internet can not only drop
- the database with one SQL command, and they can write as root to the
- system.</P
-><P
->To see your permissions do:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->bash#</TT
->
-
- <B
-CLASS="command"
->mysql -u root -p</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->use mysql;</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->show tables;</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->select * from user;</B
->
- </TT
->
- </TD
-></TR
-><TR
-><TD
-> <TT
-CLASS="computeroutput"
-> <TT
-CLASS="prompt"
->mysql></TT
->
-
- <B
-CLASS="command"
->select * from db;</B
->
- </TT
->
- </TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->To fix the gaping holes:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->DELETE FROM user WHERE User='';</TD
-></TR
-><TR
-><TD
->UPDATE user SET Password=PASSWORD('new_password') WHERE
- user='root';</TD
-></TR
-><TR
-><TD
->FLUSH PRIVILEGES;</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->If you're not running "mit-pthreads" you can use:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->GRANT USAGE ON *.* TO bugs@localhost;</TD
-></TR
-><TR
-><TD
->GRANT ALL ON bugs.* TO bugs@localhost;</TD
-></TR
-><TR
-><TD
->REVOKE DROP ON bugs.* FROM bugs@localhost;</TD
-></TR
-><TR
-><TD
->FLUSH PRIVILEGES;</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->With "mit-pthreads" you'll need to modify the "globals.pl"
- Mysql->Connect line to specify a specific host name instead of
- "localhost", and accept external connections:
- <P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->GRANT USAGE ON *.* TO bugs@bounce.hop.com;</TD
-></TR
-><TR
-><TD
->GRANT ALL ON bugs.* TO bugs@bounce.hop.com;</TD
-></TR
-><TR
-><TD
->REVOKE DROP ON bugs.* FROM bugs@bounce.hop.com;</TD
-></TR
-><TR
-><TD
->FLUSH PRIVILEGES;</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
->
- </P
-><P
->Consider also:
- <P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->Turning off external networking with "--skip-networking",
- unless you have "mit-pthreads", in which case you can't. Without
- networking, MySQL connects with a Unix domain socket.</P
-></LI
-><LI
-><P
->using the --user= option to mysqld to run it as an
- unprivileged user.</P
-></LI
-><LI
-><P
->running MySQL in a chroot jail</P
-></LI
-><LI
-><P
->running the httpd in a chroot jail</P
-></LI
-><LI
-><P
->making sure the MySQL passwords are different from the OS
- passwords (MySQL "root" has nothing to do with system
- "root").</P
-></LI
-><LI
-><P
->running MySQL on a separate untrusted machine</P
-></LI
-><LI
-><P
->making backups ;-)</P
-></LI
-></OL
->
- </P
-></DIV
-><DIV
-CLASS="section"
-><H2
-CLASS="section"
-><A
-NAME="AEN839"
-></A
->4.1.11. Configuring Bugzilla</H2
+>4.1.10. Configuring Bugzilla</H2
><P
> You should run through the parameters on the Edit Parameters page
(link in the footer) and set them all to appropriate values.
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Installation"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><H2
CLASS="section"
><A
-NAME="AEN1218"
+NAME="AEN1153"
></A
>4.5.1. Bundle::Bugzilla makes me upgrade to Perl 5.6.1</H2
><P
><H2
CLASS="section"
><A
-NAME="AEN1223"
+NAME="AEN1158"
></A
>4.5.2. DBD::Sponge::db prepare failed</H2
><P
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Using Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Why Should We Use Bugzilla?"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><DL
><DT
>3.2.1. <A
-HREF="hintsandtips.html#AEN434"
+HREF="hintsandtips.html#AEN435"
>Autolinkification</A
></DT
><DT
></DT
><DT
>3.2.5. <A
-HREF="hintsandtips.html#AEN463"
+HREF="hintsandtips.html#AEN464"
>Filing Bugs</A
></DT
></DL
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Variants and Competitors"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Variants and Competitors"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Variants and Competitors"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Variants and Competitors"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Bugzilla Variants and Competitors"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Command-line Bugzilla Queries"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Introduction"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Introduction"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
-TITLE="The Bugzilla Guide"
+TITLE="The Bugzilla Guide - 2.16.3 Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Installation"
><TH
COLSPAN="3"
ALIGN="center"
->The Bugzilla Guide</TH
+>The Bugzilla Guide - 2.16.3 Release</TH
></TR
><TR
><TD
><DIV
CLASS="example"
><A
-NAME="AEN989"
+NAME="AEN924"
></A
><P
><B
<DIV
CLASS="example"
><A
-NAME="AEN1002"
+NAME="AEN937"
></A
><P
><B
><P
>From Andrew Pearson:
<A
-NAME="AEN1172"
+NAME="AEN1107"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
>
for Bugzilla 2.13 and later, which includes the current release,
- Bugzilla &bz-ver;.
+ Bugzilla 2.16.3.
<DIV
CLASS="example"
><A
-NAME="AEN1184"
+NAME="AEN1119"
></A
><P
><B
--- /dev/null
+#!/usr/bonsaitools/bin/perl -w
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Matthew Tuck <matty@chariot.net.au>
+
+# This script compiles all the documentation.
+
+use diagnostics;
+use strict;
+
+use File::Basename;
+
+###############################################################################
+# Environment Variable Checking
+###############################################################################
+
+my ($JADE_PUB, $LDP_HOME);
+
+if (defined $ENV{JADE_PUB} && $ENV{JADE_PUB} ne '') {
+ $JADE_PUB = $ENV{JADE_PUB};
+}
+else {
+ die "You need to set the JADE_PUB environment variable first.";
+}
+
+if (defined $ENV{LDP_HOME} && $ENV{LDP_HOME} ne '') {
+ $LDP_HOME = $ENV{LDP_HOME};
+}
+else {
+ die "You need to set the LDP_HOME environment variable first.";
+}
+
+###############################################################################
+# Subs
+###############################################################################
+
+sub MakeDocs($$) {
+
+ my ($name, $cmdline) = @_;
+
+ print "Creating $name documentation ...\n";
+ print "$cmdline\n\n";
+ system $cmdline;
+ print "\n";
+
+}
+
+###############################################################################
+# Make the docs ...
+###############################################################################
+
+chdir dirname($0);
+chdir 'html';
+
+MakeDocs('separate HTML', "jade -t sgml -i html -d $LDP_HOME/ldp.dsl\#html " .
+ "$JADE_PUB/xml.dcl ../sgml/Bugzilla-Guide.sgml");
+MakeDocs('big HTML', "jade -V nochunks -t sgml -i html -d " .
+ "$LDP_HOME/ldp.dsl\#html $JADE_PUB/xml.dcl " .
+ "../sgml/Bugzilla-Guide.sgml > Bugzilla-Guide.html");
+MakeDocs('big text', "lynx -dump -justify=off -nolist Bugzilla-Guide.html " .
+ "> ../txt/Bugzilla-Guide.txt");
-The Bugzilla Guide
+The Bugzilla Guide - 2.16.3 Release
Matthew P. Barnson
The Bugzilla Team
+ 2003-02-16
+
This is the documentation for Bugzilla, the mozilla.org bug-tracking
system. Bugzilla is an enterprise-class piece of software that powers
issue-tracking for hundreds of organizations around the world,
1.3. New Versions
- This is the 2.16 version of The Bugzilla Guide. It is so named to
+ This is the 2.16.3 version of The Bugzilla Guide. It is so named to
match the current version of Bugzilla. If you are reading this from
any source other than those below, please check one of these mirrors
to make sure you are reading an up-to-date version of the Guide.
Bugzilla.
_________________________________________________________________
-4.1.10. Securing MySQL
-
- If you followed the installation instructions for setting up your
- "bugs" and "root" user in MySQL, much of this should not apply to you.
- If you are upgrading an existing installation of Bugzilla, you should
- pay close attention to this section.
-
- Most MySQL installs have "interesting" default security parameters:
-
- mysqld defaults to running as root
- it defaults to allowing external network connections
- it has a known port number, and is easy to detect
- it defaults to no passwords whatsoever
- it defaults to allowing "File_Priv"
-
- This means anyone from anywhere on the internet can not only drop the
- database with one SQL command, and they can write as root to the
- system.
-
- To see your permissions do:
-
- bash# mysql -u root -p
- mysql> use mysql;
- mysql> show tables;
- mysql> select * from user;
- mysql> select * from db;
-
- To fix the gaping holes:
-
- DELETE FROM user WHERE User='';
- UPDATE user SET Password=PASSWORD('new_password') WHERE user='root';
- FLUSH PRIVILEGES;
-
- If you're not running "mit-pthreads" you can use:
-
- GRANT USAGE ON *.* TO bugs@localhost;
- GRANT ALL ON bugs.* TO bugs@localhost;
- REVOKE DROP ON bugs.* FROM bugs@localhost;
- FLUSH PRIVILEGES;
-
- With "mit-pthreads" you'll need to modify the "globals.pl"
- Mysql->Connect line to specify a specific host name instead of
- "localhost", and accept external connections:
-
- GRANT USAGE ON *.* TO bugs@bounce.hop.com;
- GRANT ALL ON bugs.* TO bugs@bounce.hop.com;
- REVOKE DROP ON bugs.* FROM bugs@bounce.hop.com;
- FLUSH PRIVILEGES;
-
- Consider also:
-
- 1. Turning off external networking with "--skip-networking", unless
- you have "mit-pthreads", in which case you can't. Without
- networking, MySQL connects with a Unix domain socket.
- 2. using the --user= option to mysqld to run it as an unprivileged
- user.
- 3. running MySQL in a chroot jail
- 4. running the httpd in a chroot jail
- 5. making sure the MySQL passwords are different from the OS
- passwords (MySQL "root" has nothing to do with system "root").
- 6. running MySQL on a separate untrusted machine
- 7. making backups ;-)
- _________________________________________________________________
-
-4.1.11. Configuring Bugzilla
+4.1.10. Configuring Bugzilla
You should run through the parameters on the Edit Parameters page
(link in the footer) and set them all to appropriate values. They key
If attempting to run Bugzilla 2.12 or older, you will need to remove
encrypt() calls from the Perl source. This is not necessary for
Bugzilla 2.13 and later, which includes the current release, Bugzilla
- &bz-ver;.
+ 2.16.3.
Example 4-3. Removing encrypt() for Windows NT Bugzilla version 2.12
or earlier
These instructions must, of necessity, be somewhat vague since
Bugzilla runs on so many different platforms. If you have refinements
- of these directions for specific platforms, please submit them to
- mozilla-webtools@mozilla.org
-
- To secure your installation:
-
- 1. Ensure you are running at least MysQL version 3.22.32 or newer.
- Earlier versions had notable security holes and (from a security
- point of view) poor default configuration choices.
- 2. There is no substitute for understanding the tools on your system!
- Read The MySQL Privilege System until you can recite it from
- memory!
- 3. Lock down /etc/inetd.conf. Heck, disable inet entirely on this
- box. It should only listen to port 25 for Sendmail and port 80 for
- Apache.
- 4. Do not run Apache as "nobody" . This will require very lax
- permissions in your Bugzilla directories. Run it, instead, as a
- user with a name, set via your httpd.conf file.
+ of these directions, please submit a bug to Bugzilla.
- Note
+ Warning
+
+ This is not meant to be a comprehensive list of every possible
+ security issue regarding the tools mentioned in this section. There is
+ no subsitute for reading the information written by the authors of any
+ software running on your system.
+ _________________________________________________________________
+
+5.6.1. TCP/IP Ports
- "nobody" is a real user on UNIX systems. Having a process run as user
- id "nobody" is absolutely no protection against system crackers versus
- using any other user account. As a general security measure, I
- recommend you create unique user ID's for each daemon running on your
- system and, if possible, use "chroot" to jail that process away from
- the rest of your system.
- 5. Ensure you have adequate access controls for the
- $BUGZILLA_HOME/data/ directory, as well as the
- $BUGZILLA_HOME/localconfig file. The localconfig file stores your
- "bugs" database account password. In addition, some files under
- $BUGZILLA_HOME/data/ store sensitive information.
- Bugzilla provides default .htaccess files to protect the most
- common Apache installations. However, you should verify these are
- adequate according to the site-wide security policy of your web
- server, and ensure that the .htaccess files are allowed to
- "override" default permissions set in your Apache configuration
- files. Covering Apache security is beyond the scope of this Guide;
- please consult the Apache documentation for details.
- If you are using a web server that does not support the .htaccess
- control method, you are at risk! After installing, check to see if
- you can view the file "localconfig" in your web browser (e.g.:
- http://bugzilla.mozilla.org/localconfig ). If you can read the
- contents of this file, your web server has not secured your
- bugzilla directory properly and you must fix this problem before
- deploying Bugzilla. If, however, it gives you a "Forbidden" error,
- then it probably respects the .htaccess conventions and you are
- good to go.
- When you run checksetup.pl, the script will attempt to modify
- various permissions on files which Bugzilla uses. If you do not
- have a webservergroup set in the localconfig file, then Bugzilla
- will have to make certain files world readable and/or writable.
- THIS IS INSECURE! . This means that anyone who can get access to
- your system can do whatever they want to your Bugzilla
- installation.
+ TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla only
+ needs 1... 2 if you need to use features that require e-mail such as
+ bug moving or the e-mail interface from contrib. You should audit your
+ server and make sure that you aren't listening on any ports you don't
+ need to be. You may also wish to use some kind of firewall software to
+ be sure that trafic can only be recieved on ports you specify.
+ _________________________________________________________________
+
+5.6.2. MySQL
+
+ MySQL ships by default with many settings that should be changed. By
+ defaults it allows anybody to connect from localhost without a
+ password and have full administrative capabilities. It also defaults
+ to not have a root password (this is not the same as the system root).
+ Also, many installations default to running mysqld as the system root.
+
+ 1. Make sure you are running at least version 3.22.32 of MySQL as
+ earlier versions had notable security holes.
+ 2. Consult the documentation that came with your system for
+ information on making mysqld run as an unprivleged user.
+ 3. You should also be sure to disable the anonymous user account and
+ set a password for the root user. This is accomplished using the
+ following commands:
+
+bash$ mysql mysql
+mysql> DELETE FROM user WHERE user = '';
+mysql> UPDATE user SET password = password('new_password') WHERE user = 'root';
+mysql> FLUSH PRIVILEGES;
+
+
+ From this point forward you will need to use mysql -u root -p and
+ enter new_password when prompted when using the mysql client.
+ 4. If you run MySQL on the same machine as your httpd server, you
+ should consider disabling networking from within MySQL by adding
+ the following to your /etc/my.conf:
+
+[myslqd]
+# Prevent network access to MySQL.
+skip-networking
+
+
+ 5. You may also consider running MySQL, or even all of Bugzilla in a
+ chroot jail; however, instructions for doing that are beyond the
+ scope of this document.
+ _________________________________________________________________
+
+5.6.3. Daemon Accounts
+
+ Many daemons, such as Apache's httpd and MySQL's mysqld default to
+ running as either "root" or "nobody". Running as "root" introduces
+ obvious security problems, but the problems introduced by running
+ everything as "nobody" may not be so obvious. Basically, if you're
+ running every daemon as "nobody" and one of them gets comprimised,
+ they all get comprimised. For this reason it is recommended that you
+ create a user account for each daemon.
Note
- This also means that if your webserver runs all cgi scripts as the
- same user/group, anyone on the system who can run cgi scripts will be
- able to take control of your Bugzilla installation.
- On Apache, you can use .htaccess files to protect access to these
- directories, as outlined in Bug 57161 for the localconfig file,
- and Bug 65572 for adequate protection in your data/ directory.
- Note the instructions which follow are Apache-specific. If you use
- IIS, Netscape, or other non-Apache web servers, please consult
- your system documentation for how to secure these files from being
- transmitted to curious users.
- Place the following text into a file named ".htaccess", readable
- by your web server, in your $BUGZILLA_HOME/data directory.
- <Files comments> allow from all </Files>
- deny from all
- Place the following text into a file named ".htaccess", readable
- by your web server, in your $BUGZILLA_HOME/ directory.
- <Files localconfig> deny from all </Files>
- allow from all
+ You will need to set the webservergroup to the group you created for
+ your webserver to run as in localconfig. This will allow
+ ./checksetup.pl to better adjust the file permissions on your Bugzilla
+ install so as to not require making anything world-writable.
+ _________________________________________________________________
+
+5.6.4. Web Server Access Controls
+
+ There are many files that are placed in the Bugzilla directory area
+ that should not be accessable from the web. Because of the way
+ Bugzilla is currently layed out, the list of what should and should
+ not be accessible is rather complicated. A new installation method is
+ currently in the works which should solve this by allowing files that
+ shouldn't be accessible from the web to be placed in directory outside
+ the webroot. See bug 44659 for more information.
+
+ * In the main Bugzilla directory, you should:
+ + Block: *.pl, *localconfig*, runtests.sh, processmail,
+ syncshadowdb
+ + But allow: localconfig.js, localconfig.rdf
+ * In data:
+ + Block everything
+ + But allow: duplicates.rdf
+ * In data/webdot:
+ + If you use a remote webdot server:
+ o Block everything
+ o But allow *.dot only for the remote webdot server
+ + Otherwise, if you use a local GraphViz:
+ o Block everything
+ o But allow: *.png, *.gif, *.jpg, *.map
+ + And if you don't use any dot:
+ o Block everything
+ * In Bugzilla:
+ + Block everything
+ * In template:
+ + Block everything
+
+ Tip
+
+ Bugzilla ships with the ability to generate .htaccess files
+ instructing Apache which files should and should not be accessible.
+
+ You should test to make sure that the files mentioned above are not
+ accessible from the Internet, especially your localconfig file which
+ contains your database password. To test, simply point your web
+ browser at the file; for example, to test mozilla.org's installation,
+ we'd try to access http://bugzilla.mozilla.org/localconfig. You should
+ get a 403 Forbidden error.
+
+ Caution
+
+ Not following the instructions in this section, including testing, may
+ result in sensitive information being globally accessible.
_________________________________________________________________
5.7. Template Customisation
projects / thirdparty / bugzilla.git / commitdiff
