</para>
</section>
-
<section id="security">
<title>Bugzilla Security</title>
<note>
<para>These instructions must, of necessity, be somewhat vague since
Bugzilla runs on so many different platforms. If you have refinements
- of these directions for specific platforms, please submit them to
- <ulink url="mailto://mozilla-webtools@mozilla.org">
- mozilla-webtools@mozilla.org</ulink>
+ of these directions, please submit a bug to &bzg-bugs;.
</para>
</note>
- <para>To secure your installation:
-
- <orderedlist>
- <listitem>
- <para>Ensure you are running at least MysQL version 3.22.32 or newer.
- Earlier versions had notable security holes and (from a security
- point of view) poor default configuration choices.</para>
- </listitem>
+ <warning>
+ <para>This is not meant to be a comprehensive list of every possible
+ security issue regarding the tools mentioned in this section. There is
+ no subsitute for reading the information written by the authors of any
+ software running on your system.
+ </para>
+ </warning>
- <listitem>
- <para>
- <emphasis>There is no substitute for understanding the tools on your
- system!</emphasis>
+ <section id="security-networking">
+ <title>TCP/IP Ports</title>
+
+ <!-- TODO: Make this make sense (TCP/IP) -->
+ <para>TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla
+ only needs 1... 2 if you need to use features that require e-mail such
+ as bug moving or the e-mail interface from contrib. You should audit
+ your server and make sure that you aren't listening on any ports you
+ don't need to be. You may also wish to use some kind of firewall
+ software to be sure that trafic can only be recieved on ports you
+ specify.
+ </para>
+ </section>
- Read
- <ulink url="http://www.mysql.com/doc/P/r/Privilege_system.html">
- The MySQL Privilege System</ulink>
- until you can recite it from memory!</para>
- </listitem>
+ <section id="security-mysql">
+ <title>MySQL</title>
- <listitem>
- <para>Lock down /etc/inetd.conf. Heck, disable inet entirely on this
- box. It should only listen to port 25 for Sendmail and port 80 for
- Apache.</para>
- </listitem>
+ <para>MySQL ships by default with many settings that should be changed.
+ By defaults it allows anybody to connect from localhost without a
+ password and have full administrative capabilities. It also defaults to
+ not have a root password (this is <emphasis>not</emphasis> the same as
+ the system root). Also, many installations default to running
+ <application>mysqld</application> as the system root.
+ </para>
- <listitem>
- <para>Do not run Apache as
- <quote>nobody</quote>
+ <orderedlist>
+ <listitem>
+ <para>Make sure you are running at least version 3.22.32 of MySQL
+ as earlier versions had notable security holes.
+ </para>
+ </listitem>
- . This will require very lax permissions in your Bugzilla
- directories. Run it, instead, as a user with a name, set via your
- httpd.conf file.
- <note>
- <para>
- <quote>nobody</quote>
+ <listitem>
+ <para>Consult the documentation that came with your system for
+ information on making <application>mysqld</application> run as an
+ unprivleged user.
+ </para>
+ </listitem>
- is a real user on UNIX systems. Having a process run as user id
- <quote>nobody</quote>
+ <listitem>
+ <para>You should also be sure to disable the anonymous user account
+ and set a password for the root user. This is accomplished using the
+ following commands:
+ </para>
+ <programlisting>
+<prompt>bash$</prompt> mysql mysql
+<prompt>mysql></prompt> DELETE FROM user WHERE user = '';
+<prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
+<prompt>mysql></prompt> FLUSH PRIVILEGES;
+ </programlisting>
+ <para>From this point forward you will need to use
+ <command>mysql -u root -p</command> and enter
+ <replaceable>new_password</replaceable> when prompted when using the
+ mysql client.
+ </para>
+ </listitem>
- is absolutely no protection against system crackers versus using
- any other user account. As a general security measure, I recommend
- you create unique user ID's for each daemon running on your system
- and, if possible, use "chroot" to jail that process away from the
- rest of your system.</para>
- </note>
- </para>
- </listitem>
+ <listitem>
+ <para>If you run MySQL on the same machine as your httpd server, you
+ should consider disabling networking from within MySQL by adding
+ the following to your <filename>/etc/my.conf</filename>:
+ </para>
+ <programlisting>
+[myslqd]
+# Prevent network access to MySQL.
+skip-networking
+ </programlisting>
+ </listitem>
- <listitem>
- <para>Ensure you have adequate access controls for the
- $BUGZILLA_HOME/data/ directory, as well as the
- $BUGZILLA_HOME/localconfig file.
- The localconfig file stores your "bugs" database account password.
- In addition, some
- files under $BUGZILLA_HOME/data/ store sensitive information.
+ <listitem>
+ <para>You may also consider running MySQL, or even all of Bugzilla
+ in a chroot jail; however, instructions for doing that are beyond
+ the scope of this document.
+ </para>
+ </listitem>
+
+ </orderedlist>
+
+ </section>
+
+ <section id="security-daemon">
+ <title>Daemon Accounts</title>
+
+ <para>Many daemons, such as Apache's httpd and MySQL's mysqld default to
+ running as either <quote>root</quote> or <quote>nobody</quote>. Running
+ as <quote>root</quote> introduces obvious security problems, but the
+ problems introduced by running everything as <quote>nobody</quote> may
+ not be so obvious. Basically, if you're running every daemon as
+ <quote>nobody</quote> and one of them gets comprimised, they all get
+ comprimised. For this reason it is recommended that you create a user
+ account for each daemon.
+ </para>
+
+ <note>
+ <para>You will need to set the <varname>webservergroup</varname> to
+ the group you created for your webserver to run as in
+ <filename>localconfig</filename>. This will allow
+ <command>./checksetup.pl</command> to better adjust the file
+ permissions on your Bugzilla install so as to not require making
+ anything world-writable.
</para>
+ </note>
- <para>Bugzilla provides default .htaccess files to protect the most
- common Apache installations. However, you should verify these are
- adequate according to the site-wide security policy of your web
- server, and ensure that the .htaccess files are allowed to
- "override" default permissions set in your Apache configuration
- files. Covering Apache security is beyond the scope of this Guide;
- please consult the Apache documentation for details.</para>
-
- <para>If you are using a web server that does not support the
- .htaccess control method,
- <emphasis>you are at risk!</emphasis>
-
- After installing, check to see if you can view the file
- "localconfig" in your web browser (e.g.:
- <ulink url="http://bugzilla.mozilla.org/localconfig">
- http://bugzilla.mozilla.org/localconfig</ulink>
-
- ). If you can read the contents of this file, your web server has
- not secured your bugzilla directory properly and you must fix this
- problem before deploying Bugzilla. If, however, it gives you a
- "Forbidden" error, then it probably respects the .htaccess
- conventions and you are good to go.</para>
-
- <para>When you run checksetup.pl, the script will attempt to modify
- various permissions on files which Bugzilla uses. If you do not have
- a webservergroup set in the localconfig file, then Bugzilla will have
- to make certain files world readable and/or writable.
- <emphasis>THIS IS INSECURE!</emphasis>
-
- . This means that anyone who can get access to your system can do
- whatever they want to your Bugzilla installation.</para>
+ </section>
- <note>
- <para>This also means that if your webserver runs all cgi scripts
- as the same user/group, anyone on the system who can run cgi
- scripts will be able to take control of your Bugzilla
- installation.</para>
- </note>
+ <section id="security-access">
+ <title>Web Server Access Controls</title>
+
+ <para>There are many files that are placed in the Bugzilla directory
+ area that should not be accessable from the web. Because of the way
+ Bugzilla is currently layed out, the list of what should and should
+ not be accessible is rather complicated. A new installation method
+ is currently in the works which should solve this by allowing files
+ that shouldn't be accessible from the web to be placed in directory
+ outside the webroot. See
+ <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=44659">bug
+ 44659</ulink> for more information.
+ </para>
- <para>On Apache, you can use .htaccess files to protect access to
- these directories, as outlined in
- <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=57161">Bug
- 57161</ulink>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>In the main Bugzilla directory, you should:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block:
+ <simplelist type="inline">
+ <member><filename>*.pl</filename></member>
+ <member><filename>*localconfig*</filename></member>
+ <member><filename>runtests.sh</filename></member>
+ <member><filename>processmail</filename></member>
+ <member><filename>syncshadowdb</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>But allow:
+ <simplelist type="inline">
+ <member><filename>localconfig.js</filename></member>
+ <member><filename>localconfig.rdf</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- for the localconfig file, and
- <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=65572">Bug
- 65572</ulink>
+ <listitem>
+ <para>In <filename class="directory">data</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ <listitem>
+ <para>But allow:
+ <simplelist type="inline">
+ <member><filename>duplicates.rdf</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- for adequate protection in your data/ directory.</para>
+ <listitem>
+ <para>In <filename class="directory">data/webdot</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>If you use a remote webdot server:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ <listitem>
+ <para>But allow
+ <simplelist type="inline">
+ <member><filename>*.dot</filename></member>
+ </simplelist>
+ only for the remote webdot server</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>Otherwise, if you use a local GraphViz:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ <listitem>
+ <para>But allow:
+ <simplelist type="inline">
+ <member><filename>*.png</filename></member>
+ <member><filename>*.gif</filename></member>
+ <member><filename>*.jpg</filename></member>
+ <member><filename>*.map</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>And if you don't use any dot:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- <para>Note the instructions which follow are Apache-specific. If you
- use IIS, Netscape, or other non-Apache web servers, please consult
- your system documentation for how to secure these files from being
- transmitted to curious users.</para>
+ <listitem>
+ <para>In <filename class="directory">Bugzilla</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- <para>Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/data directory.
- <literallayout><Files comments> allow from all </Files>
- deny from all</literallayout>
+ <listitem>
+ <para>In <filename class="directory">template</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+
+ <tip>
+ <para>Bugzilla ships with the ability to generate
+ <filename>.htaccess</filename> files instructing Apache which files
+ should and should not be accessible.
</para>
+ </tip>
+
+ <para>You should test to make sure that the files mentioned above are
+ not accessible from the Internet, especially your
+ <filename>localconfig</filename> file which contains your database
+ password. To test, simply point your web browser at the file; for
+ example, to test mozilla.org's installation, we'd try to access
+ <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should
+ get a <errorcode>403</errorcode> <errorname>Forbidden</errorname>
+ error.
+ </para>
- <para>Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/ directory.
- <literallayout><Files localconfig> deny from all </Files>
- allow from all</literallayout>
+ <caution>
+ <para>Not following the instructions in this section, including
+ testing, may result in sensitive information being globally
+ accessible.
</para>
+ </caution>
+
+ </section>
- </listitem>
- </orderedlist>
- </para>
</section>
<section id="cust-templates">
</note>
</section>
- <section>
- <title>Securing MySQL</title>
-
- <para>If you followed the installation instructions for setting up your
- "bugs" and "root" user in MySQL, much of this should not apply to you.
- If you are upgrading an existing installation of Bugzilla, you should
- pay close attention to this section.</para>
-
- <para>Most MySQL installs have "interesting" default security
- parameters:
- <simplelist>
- <member>mysqld defaults to running as root</member>
-
- <member>it defaults to allowing external network connections</member>
-
- <member>it has a known port number, and is easy to detect</member>
-
- <member>it defaults to no passwords whatsoever</member>
-
- <member>it defaults to allowing "File_Priv"</member>
- </simplelist>
- </para>
-
- <para>This means anyone from anywhere on the internet can not only drop
- the database with one SQL command, and they can write as root to the
- system.</para>
-
- <para>To see your permissions do:
- <simplelist>
- <member>
- <computeroutput>
- <prompt>bash#</prompt>
-
- <command>mysql -u root -p</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>use mysql;</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>show tables;</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>select * from user;</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>select * from db;</command>
- </computeroutput>
- </member>
- </simplelist>
- </para>
-
- <para>To fix the gaping holes:
- <simplelist>
- <member>DELETE FROM user WHERE User='';</member>
-
- <member>UPDATE user SET Password=PASSWORD('new_password') WHERE
- user='root';</member>
-
- <member>FLUSH PRIVILEGES;</member>
- </simplelist>
- </para>
-
- <para>If you're not running "mit-pthreads" you can use:
- <simplelist>
- <member>GRANT USAGE ON *.* TO bugs@localhost;</member>
-
- <member>GRANT ALL ON bugs.* TO bugs@localhost;</member>
-
- <member>REVOKE DROP ON bugs.* FROM bugs@localhost;</member>
-
- <member>FLUSH PRIVILEGES;</member>
- </simplelist>
- </para>
-
- <para>With "mit-pthreads" you'll need to modify the "globals.pl"
- Mysql->Connect line to specify a specific host name instead of
- "localhost", and accept external connections:
- <simplelist>
- <member>GRANT USAGE ON *.* TO bugs@bounce.hop.com;</member>
-
- <member>GRANT ALL ON bugs.* TO bugs@bounce.hop.com;</member>
-
- <member>REVOKE DROP ON bugs.* FROM bugs@bounce.hop.com;</member>
-
- <member>FLUSH PRIVILEGES;</member>
- </simplelist>
- </para>
-
- <para>Consider also:
- <orderedlist>
- <listitem>
- <para>Turning off external networking with "--skip-networking",
- unless you have "mit-pthreads", in which case you can't. Without
- networking, MySQL connects with a Unix domain socket.</para>
- </listitem>
-
- <listitem>
- <para>using the --user= option to mysqld to run it as an
- unprivileged user.</para>
- </listitem>
-
- <listitem>
- <para>running MySQL in a chroot jail</para>
- </listitem>
-
- <listitem>
- <para>running the httpd in a chroot jail</para>
- </listitem>
-
- <listitem>
- <para>making sure the MySQL passwords are different from the OS
- passwords (MySQL "root" has nothing to do with system
- "root").</para>
- </listitem>
-
- <listitem>
- <para>running MySQL on a separate untrusted machine</para>
- </listitem>
-
- <listitem>
- <para>making backups ;-)</para>
- </listitem>
- </orderedlist>
- </para>
- </section>
-
<section>
<title>Configuring Bugzilla</title>
<para>
<emphasis>not necessary</emphasis>
for Bugzilla 2.13 and later, which includes the current release,
- Bugzilla &bz-ver;.
+ Bugzilla &bz-ver;.
<example>
<title>Removing encrypt() for Windows NT Bugzilla version 2.12 or
earlier</title>
</para>
</section>
-
<section id="security">
<title>Bugzilla Security</title>
<note>
<para>These instructions must, of necessity, be somewhat vague since
Bugzilla runs on so many different platforms. If you have refinements
- of these directions for specific platforms, please submit them to
- <ulink url="mailto://mozilla-webtools@mozilla.org">
- mozilla-webtools@mozilla.org</ulink>
+ of these directions, please submit a bug to &bzg-bugs;.
</para>
</note>
- <para>To secure your installation:
-
- <orderedlist>
- <listitem>
- <para>Ensure you are running at least MysQL version 3.22.32 or newer.
- Earlier versions had notable security holes and (from a security
- point of view) poor default configuration choices.</para>
- </listitem>
+ <warning>
+ <para>This is not meant to be a comprehensive list of every possible
+ security issue regarding the tools mentioned in this section. There is
+ no subsitute for reading the information written by the authors of any
+ software running on your system.
+ </para>
+ </warning>
- <listitem>
- <para>
- <emphasis>There is no substitute for understanding the tools on your
- system!</emphasis>
+ <section id="security-networking">
+ <title>TCP/IP Ports</title>
+
+ <!-- TODO: Make this make sense (TCP/IP) -->
+ <para>TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla
+ only needs 1... 2 if you need to use features that require e-mail such
+ as bug moving or the e-mail interface from contrib. You should audit
+ your server and make sure that you aren't listening on any ports you
+ don't need to be. You may also wish to use some kind of firewall
+ software to be sure that trafic can only be recieved on ports you
+ specify.
+ </para>
+ </section>
- Read
- <ulink url="http://www.mysql.com/doc/P/r/Privilege_system.html">
- The MySQL Privilege System</ulink>
- until you can recite it from memory!</para>
- </listitem>
+ <section id="security-mysql">
+ <title>MySQL</title>
- <listitem>
- <para>Lock down /etc/inetd.conf. Heck, disable inet entirely on this
- box. It should only listen to port 25 for Sendmail and port 80 for
- Apache.</para>
- </listitem>
+ <para>MySQL ships by default with many settings that should be changed.
+ By defaults it allows anybody to connect from localhost without a
+ password and have full administrative capabilities. It also defaults to
+ not have a root password (this is <emphasis>not</emphasis> the same as
+ the system root). Also, many installations default to running
+ <application>mysqld</application> as the system root.
+ </para>
- <listitem>
- <para>Do not run Apache as
- <quote>nobody</quote>
+ <orderedlist>
+ <listitem>
+ <para>Make sure you are running at least version 3.22.32 of MySQL
+ as earlier versions had notable security holes.
+ </para>
+ </listitem>
- . This will require very lax permissions in your Bugzilla
- directories. Run it, instead, as a user with a name, set via your
- httpd.conf file.
- <note>
- <para>
- <quote>nobody</quote>
+ <listitem>
+ <para>Consult the documentation that came with your system for
+ information on making <application>mysqld</application> run as an
+ unprivleged user.
+ </para>
+ </listitem>
- is a real user on UNIX systems. Having a process run as user id
- <quote>nobody</quote>
+ <listitem>
+ <para>You should also be sure to disable the anonymous user account
+ and set a password for the root user. This is accomplished using the
+ following commands:
+ </para>
+ <programlisting>
+<prompt>bash$</prompt> mysql mysql
+<prompt>mysql></prompt> DELETE FROM user WHERE user = '';
+<prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
+<prompt>mysql></prompt> FLUSH PRIVILEGES;
+ </programlisting>
+ <para>From this point forward you will need to use
+ <command>mysql -u root -p</command> and enter
+ <replaceable>new_password</replaceable> when prompted when using the
+ mysql client.
+ </para>
+ </listitem>
- is absolutely no protection against system crackers versus using
- any other user account. As a general security measure, I recommend
- you create unique user ID's for each daemon running on your system
- and, if possible, use "chroot" to jail that process away from the
- rest of your system.</para>
- </note>
- </para>
- </listitem>
+ <listitem>
+ <para>If you run MySQL on the same machine as your httpd server, you
+ should consider disabling networking from within MySQL by adding
+ the following to your <filename>/etc/my.conf</filename>:
+ </para>
+ <programlisting>
+[myslqd]
+# Prevent network access to MySQL.
+skip-networking
+ </programlisting>
+ </listitem>
- <listitem>
- <para>Ensure you have adequate access controls for the
- $BUGZILLA_HOME/data/ directory, as well as the
- $BUGZILLA_HOME/localconfig file.
- The localconfig file stores your "bugs" database account password.
- In addition, some
- files under $BUGZILLA_HOME/data/ store sensitive information.
+ <listitem>
+ <para>You may also consider running MySQL, or even all of Bugzilla
+ in a chroot jail; however, instructions for doing that are beyond
+ the scope of this document.
+ </para>
+ </listitem>
+
+ </orderedlist>
+
+ </section>
+
+ <section id="security-daemon">
+ <title>Daemon Accounts</title>
+
+ <para>Many daemons, such as Apache's httpd and MySQL's mysqld default to
+ running as either <quote>root</quote> or <quote>nobody</quote>. Running
+ as <quote>root</quote> introduces obvious security problems, but the
+ problems introduced by running everything as <quote>nobody</quote> may
+ not be so obvious. Basically, if you're running every daemon as
+ <quote>nobody</quote> and one of them gets comprimised, they all get
+ comprimised. For this reason it is recommended that you create a user
+ account for each daemon.
+ </para>
+
+ <note>
+ <para>You will need to set the <varname>webservergroup</varname> to
+ the group you created for your webserver to run as in
+ <filename>localconfig</filename>. This will allow
+ <command>./checksetup.pl</command> to better adjust the file
+ permissions on your Bugzilla install so as to not require making
+ anything world-writable.
</para>
+ </note>
- <para>Bugzilla provides default .htaccess files to protect the most
- common Apache installations. However, you should verify these are
- adequate according to the site-wide security policy of your web
- server, and ensure that the .htaccess files are allowed to
- "override" default permissions set in your Apache configuration
- files. Covering Apache security is beyond the scope of this Guide;
- please consult the Apache documentation for details.</para>
-
- <para>If you are using a web server that does not support the
- .htaccess control method,
- <emphasis>you are at risk!</emphasis>
-
- After installing, check to see if you can view the file
- "localconfig" in your web browser (e.g.:
- <ulink url="http://bugzilla.mozilla.org/localconfig">
- http://bugzilla.mozilla.org/localconfig</ulink>
-
- ). If you can read the contents of this file, your web server has
- not secured your bugzilla directory properly and you must fix this
- problem before deploying Bugzilla. If, however, it gives you a
- "Forbidden" error, then it probably respects the .htaccess
- conventions and you are good to go.</para>
-
- <para>When you run checksetup.pl, the script will attempt to modify
- various permissions on files which Bugzilla uses. If you do not have
- a webservergroup set in the localconfig file, then Bugzilla will have
- to make certain files world readable and/or writable.
- <emphasis>THIS IS INSECURE!</emphasis>
-
- . This means that anyone who can get access to your system can do
- whatever they want to your Bugzilla installation.</para>
+ </section>
- <note>
- <para>This also means that if your webserver runs all cgi scripts
- as the same user/group, anyone on the system who can run cgi
- scripts will be able to take control of your Bugzilla
- installation.</para>
- </note>
+ <section id="security-access">
+ <title>Web Server Access Controls</title>
+
+ <para>There are many files that are placed in the Bugzilla directory
+ area that should not be accessable from the web. Because of the way
+ Bugzilla is currently layed out, the list of what should and should
+ not be accessible is rather complicated. A new installation method
+ is currently in the works which should solve this by allowing files
+ that shouldn't be accessible from the web to be placed in directory
+ outside the webroot. See
+ <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=44659">bug
+ 44659</ulink> for more information.
+ </para>
- <para>On Apache, you can use .htaccess files to protect access to
- these directories, as outlined in
- <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=57161">Bug
- 57161</ulink>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>In the main Bugzilla directory, you should:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block:
+ <simplelist type="inline">
+ <member><filename>*.pl</filename></member>
+ <member><filename>*localconfig*</filename></member>
+ <member><filename>runtests.sh</filename></member>
+ <member><filename>processmail</filename></member>
+ <member><filename>syncshadowdb</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>But allow:
+ <simplelist type="inline">
+ <member><filename>localconfig.js</filename></member>
+ <member><filename>localconfig.rdf</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- for the localconfig file, and
- <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=65572">Bug
- 65572</ulink>
+ <listitem>
+ <para>In <filename class="directory">data</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ <listitem>
+ <para>But allow:
+ <simplelist type="inline">
+ <member><filename>duplicates.rdf</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- for adequate protection in your data/ directory.</para>
+ <listitem>
+ <para>In <filename class="directory">data/webdot</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>If you use a remote webdot server:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ <listitem>
+ <para>But allow
+ <simplelist type="inline">
+ <member><filename>*.dot</filename></member>
+ </simplelist>
+ only for the remote webdot server</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>Otherwise, if you use a local GraphViz:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ <listitem>
+ <para>But allow:
+ <simplelist type="inline">
+ <member><filename>*.png</filename></member>
+ <member><filename>*.gif</filename></member>
+ <member><filename>*.jpg</filename></member>
+ <member><filename>*.map</filename></member>
+ </simplelist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>And if you don't use any dot:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- <para>Note the instructions which follow are Apache-specific. If you
- use IIS, Netscape, or other non-Apache web servers, please consult
- your system documentation for how to secure these files from being
- transmitted to curious users.</para>
+ <listitem>
+ <para>In <filename class="directory">Bugzilla</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
- <para>Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/data directory.
- <literallayout><Files comments> allow from all </Files>
- deny from all</literallayout>
+ <listitem>
+ <para>In <filename class="directory">template</filename>:</para>
+ <itemizedlist spacing="compact">
+ <listitem>
+ <para>Block everything</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+
+ <tip>
+ <para>Bugzilla ships with the ability to generate
+ <filename>.htaccess</filename> files instructing Apache which files
+ should and should not be accessible.
</para>
+ </tip>
+
+ <para>You should test to make sure that the files mentioned above are
+ not accessible from the Internet, especially your
+ <filename>localconfig</filename> file which contains your database
+ password. To test, simply point your web browser at the file; for
+ example, to test mozilla.org's installation, we'd try to access
+ <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should
+ get a <errorcode>403</errorcode> <errorname>Forbidden</errorname>
+ error.
+ </para>
- <para>Place the following text into a file named ".htaccess",
- readable by your web server, in your $BUGZILLA_HOME/ directory.
- <literallayout><Files localconfig> deny from all </Files>
- allow from all</literallayout>
+ <caution>
+ <para>Not following the instructions in this section, including
+ testing, may result in sensitive information being globally
+ accessible.
</para>
+ </caution>
+
+ </section>
- </listitem>
- </orderedlist>
- </para>
</section>
<section id="cust-templates">
</note>
</section>
- <section>
- <title>Securing MySQL</title>
-
- <para>If you followed the installation instructions for setting up your
- "bugs" and "root" user in MySQL, much of this should not apply to you.
- If you are upgrading an existing installation of Bugzilla, you should
- pay close attention to this section.</para>
-
- <para>Most MySQL installs have "interesting" default security
- parameters:
- <simplelist>
- <member>mysqld defaults to running as root</member>
-
- <member>it defaults to allowing external network connections</member>
-
- <member>it has a known port number, and is easy to detect</member>
-
- <member>it defaults to no passwords whatsoever</member>
-
- <member>it defaults to allowing "File_Priv"</member>
- </simplelist>
- </para>
-
- <para>This means anyone from anywhere on the internet can not only drop
- the database with one SQL command, and they can write as root to the
- system.</para>
-
- <para>To see your permissions do:
- <simplelist>
- <member>
- <computeroutput>
- <prompt>bash#</prompt>
-
- <command>mysql -u root -p</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>use mysql;</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>show tables;</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>select * from user;</command>
- </computeroutput>
- </member>
-
- <member>
- <computeroutput>
- <prompt>mysql></prompt>
-
- <command>select * from db;</command>
- </computeroutput>
- </member>
- </simplelist>
- </para>
-
- <para>To fix the gaping holes:
- <simplelist>
- <member>DELETE FROM user WHERE User='';</member>
-
- <member>UPDATE user SET Password=PASSWORD('new_password') WHERE
- user='root';</member>
-
- <member>FLUSH PRIVILEGES;</member>
- </simplelist>
- </para>
-
- <para>If you're not running "mit-pthreads" you can use:
- <simplelist>
- <member>GRANT USAGE ON *.* TO bugs@localhost;</member>
-
- <member>GRANT ALL ON bugs.* TO bugs@localhost;</member>
-
- <member>REVOKE DROP ON bugs.* FROM bugs@localhost;</member>
-
- <member>FLUSH PRIVILEGES;</member>
- </simplelist>
- </para>
-
- <para>With "mit-pthreads" you'll need to modify the "globals.pl"
- Mysql->Connect line to specify a specific host name instead of
- "localhost", and accept external connections:
- <simplelist>
- <member>GRANT USAGE ON *.* TO bugs@bounce.hop.com;</member>
-
- <member>GRANT ALL ON bugs.* TO bugs@bounce.hop.com;</member>
-
- <member>REVOKE DROP ON bugs.* FROM bugs@bounce.hop.com;</member>
-
- <member>FLUSH PRIVILEGES;</member>
- </simplelist>
- </para>
-
- <para>Consider also:
- <orderedlist>
- <listitem>
- <para>Turning off external networking with "--skip-networking",
- unless you have "mit-pthreads", in which case you can't. Without
- networking, MySQL connects with a Unix domain socket.</para>
- </listitem>
-
- <listitem>
- <para>using the --user= option to mysqld to run it as an
- unprivileged user.</para>
- </listitem>
-
- <listitem>
- <para>running MySQL in a chroot jail</para>
- </listitem>
-
- <listitem>
- <para>running the httpd in a chroot jail</para>
- </listitem>
-
- <listitem>
- <para>making sure the MySQL passwords are different from the OS
- passwords (MySQL "root" has nothing to do with system
- "root").</para>
- </listitem>
-
- <listitem>
- <para>running MySQL on a separate untrusted machine</para>
- </listitem>
-
- <listitem>
- <para>making backups ;-)</para>
- </listitem>
- </orderedlist>
- </para>
- </section>
-
<section>
<title>Configuring Bugzilla</title>
<para>
<emphasis>not necessary</emphasis>
for Bugzilla 2.13 and later, which includes the current release,
- Bugzilla &bz-ver;.
+ Bugzilla &bz-ver;.
<example>
<title>Removing encrypt() for Windows NT Bugzilla version 2.12 or
earlier</title>
projects / thirdparty / bugzilla.git / commitdiff
