<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: installation.xml,v 1.165.2.4 2009/08/13 21:45:34 lpsolit%gmail.com Exp $ -->
+<!-- $Id: installation.xml,v 1.165.2.5 2009/08/18 11:03:25 lpsolit%gmail.com Exp $ -->
<chapter id="installing-bugzilla">
<title>Installing Bugzilla</title>
<caution>
<para>
- MySQL's default configuration is very insecure.
- <xref linkend="security-mysql"/> has some good information for
- improving your installation's security.
+ MySQL's default configuration is insecure.
+ We highly recommend to run <filename>mysql_secure_installation</filename>
+ on Linux or the MySQL installer on Windows, and follow the instructions.
+ Important points to note are:
+ <orderedlist>
+ <listitem>
+ <para>Be sure that the root account has a secure password set.</para>
+ </listitem>
+ <listitem>
+ <para>Do not create an anonymous account, and if it exists, say "yes"
+ to remove it.</para>
+ </listitem>
+ <listitem>
+ <para>If your web server and MySQL server are on the same machine,
+ you should disable the network access.</para>
+ </listitem>
+ </orderedlist>
</para>
</caution>
<title>Allow large attachments and many comments</title>
<para>By default, MySQL will only allow you to insert things
- into the database that are smaller than 64KB. Attachments
+ into the database that are smaller than 1MB. Attachments
may be larger than this. Also, Bugzilla combines all comments
on a single bug into one field for full-text searching, and the
- combination of all comments on a single bug are very likely to
- be larger than 64KB.</para>
+ combination of all comments on a single bug could in some cases
+ be larger than 1MB.</para>
<para>To change MySQL's default, you need to edit your MySQL
configuration file, which is usually <filename>/etc/my.cnf</filename>
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: security.xml,v 1.19 2008/05/21 00:01:04 lpsolit%gmail.com Exp $ -->
+<!-- $Id: security.xml,v 1.19.4.1 2009/08/18 11:03:28 lpsolit%gmail.com Exp $ -->
<chapter id="security">
<title>Bugzilla Security</title>
</section>
</section>
-
-
-
- <section id="security-mysql">
- <title>MySQL</title>
-
- <section id="security-mysql-account">
- <title>The MySQL System Account</title>
-
- <para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL
- daemon should run as a non-privileged, unique user. Be sure to consult
- the MySQL documentation or the documentation that came with your system
- for instructions.
- </para>
- </section>
-
- <section id="security-mysql-root">
- <title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title>
-
- <para>By default, MySQL comes with a <quote>root</quote> user with a
- blank password and an <quote>anonymous</quote> user, also with a blank
- password. In order to protect your data, the <quote>root</quote> user
- should be given a password and the anonymous user should be disabled.
- </para>
-
- <example id="security-mysql-account-root">
- <title>Assigning the MySQL <quote>root</quote> User a Password</title>
-
- <screen>
-<prompt>bash$</prompt> mysql mysql
-<prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
-<prompt>mysql></prompt> FLUSH PRIVILEGES;
- </screen>
- </example>
-
- <example id="security-mysql-account-anonymous">
- <title>Disabling the MySQL <quote>anonymous</quote> User</title>
- <screen>
-<prompt>bash$</prompt> mysql -u root -p mysql <co id="security-mysql-account-anonymous-mysql"/>
-<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable>
-<prompt>mysql></prompt> DELETE FROM user WHERE user = '';
-<prompt>mysql></prompt> FLUSH PRIVILEGES;
- </screen>
- <calloutlist>
- <callout arearefs="security-mysql-account-anonymous-mysql">
- <para>This command assumes that you have already completed
- <xref linkend="security-mysql-account-root"/>.
- </para>
- </callout>
- </calloutlist>
- </example>
-
- </section>
-
- <section id="security-mysql-network">
- <title>Network Access</title>
-
- <para>If MySQL and your web server both run on the same machine and you
- have no other reason to access MySQL remotely, then you should disable
- the network access. This, along with the suggestion in
- <xref linkend="security-os-ports"/>, will help protect your system from
- any remote vulnerabilities in MySQL.
- </para>
-
- <example id="security-mysql-network-ex">
- <title>Disabling Networking in MySQL</title>
-
- <para>Simply enter the following in <filename>/etc/my.cnf</filename>:
- <screen>
-[mysqld]
-# Prevent network access to MySQL.
-skip-networking
- </screen>
- </para>
- </example>
-
- </section>
-
-<!-- For possible addition in the future: How to better control the bugs user
- <section id="security-mysql-bugs">
- <title>The bugs User</title>
-
- </section>
--->
-
- </section>
-
-
-
<section id="security-webserver">
<title>Web server</title>
projects / thirdparty / bugzilla.git / commitdiff
