WIP
git-svn-id: svn://10.0.0.236/trunk@265709 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
bzrmirror%bugzilla.org
parent
6f6b960826
commit
a8908d5eb9
@ -1 +1 @@
|
||||
9237
|
||||
9238
|
||||
@ -1 +1 @@
|
||||
183bf9ac1928e570a922057954aa38e1d40dadb7
|
||||
1d769a4744586b2a0125338aceece84733a6e5e3
|
||||
@ -8,6 +8,8 @@ Bugs in Bugzilla are classified into one of a set of admin-defined Components.
|
||||
Components are themselves each part of a single Product. Optionally, Products
|
||||
can be part of a single Classification, adding a third level to the hierarchy.
|
||||
|
||||
.. _classifications:
|
||||
|
||||
Classifications
|
||||
###############
|
||||
|
||||
@ -69,7 +71,7 @@ Version
|
||||
Create chart datasets for this product
|
||||
Select to make chart datasets available for this product.
|
||||
|
||||
It is compulsory to create at least one :ref:`component` in a product, and
|
||||
It is compulsory to create at least one :ref:`component <components>` in a product, and
|
||||
so you will be asked for the details of that too.
|
||||
|
||||
When editing a product you can change all of the above, and there is also a
|
||||
|
||||
@ -85,7 +85,7 @@ The following attributes must be set for each new custom field:
|
||||
- *Can be set on bug creation:*
|
||||
Boolean that determines whether this field can be set on
|
||||
bug creation. If not selected, then a bug must be created
|
||||
before this field can be set. See :ref:`bugreports`
|
||||
before this field can be set. See :ref:`filing`
|
||||
for information about filing bugs.
|
||||
|
||||
- *Displayed in bugmail for new bugs:*
|
||||
|
||||
@ -166,8 +166,8 @@ A User can become a member of a group in several ways:
|
||||
address in the search results to edit their profile. The profile
|
||||
page lists all the groups, and indicates if the user is a member of
|
||||
the group either directly or indirectly. More information on indirect
|
||||
group membership is below. For more details on User administration,
|
||||
see :ref:`useradmin`.
|
||||
group membership is below. For more details on User Administration,
|
||||
see :ref:`users`.
|
||||
|
||||
#. The group can include another group of which the user is
|
||||
a member. This is indicated by square brackets around the checkbox
|
||||
|
||||
@ -11,7 +11,7 @@ bugs much easier.
|
||||
|
||||
Keywords are global, rather than per-product. If the administrator changes
|
||||
a keyword currently applied to any bugs, the keyword cache must be rebuilt
|
||||
using the :ref:`sanitycheck` script. XXXDoes this mean changing the name of the keyword? Is it still true?
|
||||
using the :ref:`sanity-check` script. XXXDoes this mean changing the name of the keyword? Is it still true?
|
||||
Currently keywords cannot
|
||||
be marked obsolete to prevent future usage.
|
||||
|
||||
|
||||
@ -94,11 +94,7 @@ Serving the web pages
|
||||
|
||||
As is the case on Unix based systems, any web server should
|
||||
be able to handle Bugzilla; however, the Bugzilla Team still
|
||||
recommends Apache whenever asked. No matter what web server
|
||||
you choose, be sure to pay attention to the security notes
|
||||
in :ref:`security-webserver-access`. More
|
||||
information on configuring specific web servers can be found
|
||||
in :ref:`http`.
|
||||
recommends Apache whenever asked.
|
||||
|
||||
.. note:: The web server looks at :file:`/usr/bin/perl` to
|
||||
call Perl. If you are using Apache on windows, you can set the
|
||||
|
||||
@ -3,6 +3,4 @@
|
||||
Integration Tips
|
||||
################
|
||||
|
||||
|
||||
|
||||
|
||||
XXX Do we have any of these?
|
||||
|
||||
@ -17,6 +17,12 @@ MySQL
|
||||
|
||||
:command:`mysqldump --opt -u $USERNAME -p $DATABASENAME > backup.sql`
|
||||
|
||||
See the
|
||||
`mysqldump documentation <http://dev.mysql.com/doc/mysql/en/mysqldump.html>`_
|
||||
for more information on :file:`mysqldump`.
|
||||
|
||||
.. todo:: Mention max_allowed_packet?
|
||||
|
||||
PostgreSQL
|
||||
----------
|
||||
|
||||
|
||||
@ -1,165 +0,0 @@
|
||||
.. _security:
|
||||
|
||||
=================
|
||||
Bugzilla Security
|
||||
=================
|
||||
|
||||
While some of the items in this chapter are related to the operating
|
||||
system Bugzilla is running on or some of the support software required to
|
||||
run Bugzilla, it is all related to protecting your data. This is not
|
||||
intended to be a comprehensive guide to securing Linux, Apache, MySQL, or
|
||||
any other piece of software mentioned. There is no substitute for active
|
||||
administration and monitoring of a machine. The key to good security is
|
||||
actually right in the middle of the word: *U R It*.
|
||||
|
||||
While programmers in general always strive to write secure code,
|
||||
accidents can and do happen. The best approach to security is to always
|
||||
assume that the program you are working with isn't 100% secure and restrict
|
||||
its access to other parts of your machine as much as possible.
|
||||
|
||||
.. _security-os:
|
||||
|
||||
Operating System
|
||||
################
|
||||
|
||||
.. _security-os-ports:
|
||||
|
||||
TCP/IP Ports
|
||||
============
|
||||
|
||||
.. COMMENT: TODO: Get exact number of ports
|
||||
|
||||
The TCP/IP standard defines more than 65,000 ports for sending
|
||||
and receiving traffic. Of those, Bugzilla needs exactly one to operate
|
||||
(different configurations and options may require up to 3). You should
|
||||
audit your server and make sure that you aren't listening on any ports
|
||||
you don't need to be. It's also highly recommended that the server
|
||||
Bugzilla resides on, along with any other machines you administer, be
|
||||
placed behind some kind of firewall.
|
||||
|
||||
.. _security-os-accounts:
|
||||
|
||||
System User Accounts
|
||||
====================
|
||||
|
||||
Many daemons, such
|
||||
as Apache's :file:`httpd` or MySQL's
|
||||
:file:`mysqld`, run as either ``root`` or
|
||||
``nobody``. This is even worse on Windows machines where the
|
||||
majority of services
|
||||
run as ``SYSTEM``. While running as ``root`` or
|
||||
``SYSTEM`` introduces obvious security concerns, the
|
||||
problems introduced by running everything as ``nobody`` may
|
||||
not be so obvious. Basically, if you run every daemon as
|
||||
``nobody`` and one of them gets compromised it can
|
||||
compromise every other daemon running as ``nobody`` on your
|
||||
machine. For this reason, it is recommended that you create a user
|
||||
account for each daemon.
|
||||
|
||||
.. note:: You will need to set the ``webservergroup`` option
|
||||
in :file:`localconfig` to the group your web server runs
|
||||
as. This will allow :file:`./checksetup.pl` to set file
|
||||
permissions on Unix systems so that nothing is world-writable.
|
||||
|
||||
.. _security-os-chroot:
|
||||
|
||||
The :file:`chroot` Jail
|
||||
=======================
|
||||
|
||||
If your system supports it, you may wish to consider running
|
||||
Bugzilla inside of a :file:`chroot` jail. This option
|
||||
provides unprecedented security by restricting anything running
|
||||
inside the jail from accessing any information outside of it. If you
|
||||
wish to use this option, please consult the documentation that came
|
||||
with your system.
|
||||
|
||||
.. _security-webserver:
|
||||
|
||||
Web server
|
||||
##########
|
||||
|
||||
.. _security-webserver-access:
|
||||
|
||||
Disabling Remote Access to Bugzilla Configuration Files
|
||||
=======================================================
|
||||
|
||||
There are many files that are placed in the Bugzilla directory
|
||||
area that should not be accessible from the web server. Because of the way
|
||||
Bugzilla is currently layed out, the list of what should and should not
|
||||
be accessible is rather complicated. A quick way is to run
|
||||
:file:`testserver.pl` to check if your web server serves
|
||||
Bugzilla files as expected. If not, you may want to follow the few
|
||||
steps below.
|
||||
|
||||
.. note:: Bugzilla ships with the ability to create :file:`.htaccess`
|
||||
files that enforce these rules. Instructions for enabling these
|
||||
directives in Apache can be found in :ref:`http-apache`
|
||||
|
||||
- In the main Bugzilla directory, you should:
|
||||
- Block: :file:`*.pl`, :file:`*localconfig*`
|
||||
|
||||
- In :file:`data`:
|
||||
- Block everything
|
||||
|
||||
- In :file:`data/webdot`:
|
||||
|
||||
- If you use a remote webdot server:
|
||||
|
||||
- Block everything
|
||||
- But allow :file:`*.dot`
|
||||
only for the remote webdot server
|
||||
- Otherwise, if you use a local GraphViz:
|
||||
|
||||
- Block everything
|
||||
- But allow: :file:`*.png`, :file:`*.gif`, :file:`*.jpg`, :file:`*.map`
|
||||
- And if you don't use any dot:
|
||||
|
||||
- Block everything
|
||||
|
||||
- In :file:`Bugzilla`:
|
||||
- Block everything
|
||||
|
||||
- In :file:`template`:
|
||||
- Block everything
|
||||
|
||||
Be sure to test that data that should not be accessed remotely is
|
||||
properly blocked. Of particular interest is the localconfig file which
|
||||
contains your database password. Also, be aware that many editors
|
||||
create temporary and backup files in the working directory and that
|
||||
those should also not be accessible. For more information, see
|
||||
`bug 186383 <http://bugzilla.mozilla.org/show_bug.cgi?id=186383>`_
|
||||
or
|
||||
`Bugtraq ID 6501 <http://online.securityfocus.com/bid/6501>`_.
|
||||
To test, simply run :file:`testserver.pl`, as said above.
|
||||
|
||||
.. note:: Be sure to check :ref:`http` for instructions
|
||||
specific to the web server you use.
|
||||
|
||||
.. _security-bugzilla:
|
||||
|
||||
Bugzilla
|
||||
########
|
||||
|
||||
.. _security-bugzilla-charset:
|
||||
|
||||
Prevent users injecting malicious Javascript
|
||||
============================================
|
||||
|
||||
If you installed Bugzilla version 2.22 or later from scratch,
|
||||
then the *utf8* parameter is switched on by default.
|
||||
This makes Bugzilla explicitly set the character encoding, following
|
||||
`a
|
||||
CERT advisory <http://www.cert.org/tech_tips/malicious_code_mitigation.html#3>`_ recommending exactly this.
|
||||
The following therefore does not apply to you; just keep
|
||||
*utf8* turned on.
|
||||
|
||||
If you've upgraded from an older version, then it may be possible
|
||||
for a Bugzilla user to take advantage of character set encoding
|
||||
ambiguities to inject HTML into Bugzilla comments.
|
||||
This could include malicious scripts.
|
||||
This is because due to internationalization concerns, we are unable to
|
||||
turn the *utf8* parameter on by default for upgraded
|
||||
installations.
|
||||
Turning it on manually will prevent this problem.
|
||||
|
||||
|
||||
@ -40,5 +40,5 @@ It is also possible, particularly if your server machine does not have and
|
||||
cannot be configured to have access to the public internet, to upgrade using
|
||||
a tarball. See :ref:`upgrading-with-a-tarball`.
|
||||
|
||||
Before performing any upgrade, it's a good idea to back up both your Bugzilla
|
||||
directory and your database. XXXlink to backup info in Maintenance
|
||||
Before performing any upgrade, it's a good idea to :ref:`back up <backups>`
|
||||
both your Bugzilla directory and your database.
|
||||
|
||||
@ -1,5 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
The procedure to switch to Git is as follows. The idea is to switch version
|
||||
control systems without changing the exact version of Bugzilla you are using,
|
||||
to minimise the risk of conflict or problems. Any major upgrade can then
|
||||
@ -49,3 +47,28 @@ Then run checksetup to upgrade your database:
|
||||
|
||||
You should then test your Bugzilla carefully, or just use it for a day or two,
|
||||
to make sure it's all still working fine.
|
||||
|
||||
.. _get-from-git:
|
||||
|
||||
Download Code from Git
|
||||
======================
|
||||
|
||||
Download a copy of your current version of Bugzilla from the git repository
|
||||
into a separate directory alongside your existing Bugzilla installation
|
||||
(which we will assume is in a directory called :file:`bugzilla`).
|
||||
|
||||
You will need a copy of the git program. All Linux installations have it;
|
||||
search your package manager for "git". On Windows or Mac OS X, you can
|
||||
`download the official build <http://www.git-scm.com/downloads>`_.
|
||||
|
||||
Once git is installed, run these commands to pull a copy of Bugzilla:
|
||||
|
||||
:command:`git clone https://git.mozilla.org/bugzilla/bugzilla bugzilla-new`
|
||||
|
||||
:command:`cd bugzilla-new`
|
||||
|
||||
:command:`git checkout $VERSION`
|
||||
|
||||
Replace $VERSION with the two-digit version number of your current Bugzilla, e.g.
|
||||
4.2. These command will automatically change your version to the latest
|
||||
point release of version $VERSION.
|
||||
|
||||
@ -1,5 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
Save Any Local Customizations
|
||||
=============================
|
||||
|
||||
@ -18,7 +16,7 @@ Shut Down Bugzilla
|
||||
|
||||
At this point, you should shut down Bugzilla to make sure nothing changes
|
||||
while you make the switch. Go into the administrative interface and put an
|
||||
appropriate message into the :guilabel:`shutdownhtml` parameter, which is in the
|
||||
appropriate message into the :param:`shutdownhtml` parameter, which is in the
|
||||
"General" section of the administration parameters. As the name implies, HTML
|
||||
is allowed.
|
||||
|
||||
@ -94,7 +92,7 @@ Re-enable Bugzilla
|
||||
==================
|
||||
|
||||
Go into the administrative interface and clear the contents of the
|
||||
:guilabel:`shutdownhtml` parameter.
|
||||
:param:`shutdownhtml` parameter.
|
||||
|
||||
Test Bugzilla
|
||||
=============
|
||||
|
||||
@ -8,5 +8,4 @@ Upgrading from Bazaar
|
||||
.. |extstatusinfo| replace:: The command :command:`bzr status extensions/` should help you work out what you added, if anything.
|
||||
|
||||
.. include:: upgrading-from-1.rst
|
||||
.. include:: get-from-git.rst
|
||||
.. include:: upgrading-from-2.rst
|
||||
|
||||
@ -3,14 +3,11 @@
|
||||
Upgrading from CVS
|
||||
##################
|
||||
|
||||
XXX Fill in commands from https://wiki.mozilla.org/Bugzilla:Moving_From_CVS_To_Bazaar
|
||||
|
||||
.. |updatecommand| replace:: :command:`bzr up -r tag:bugzilla-$VERSION`
|
||||
.. |diffcommand| replace:: :command:`bzr diff > patch.diff`
|
||||
.. |extstatusinfo| replace:: The command :command:`bzr status extensions/` should help you work out what you added, if anything.
|
||||
.. |updatecommand| replace:: :command:`cvs update -rBUGZILLA-$VERSION-STABLE -dP`
|
||||
.. |diffcommand| replace:: :command:`cvs diff -puN > patch.diff`
|
||||
.. |extstatusinfo| replace:: The command :command:`cvs status extensions/` should help you work out what you added, if anything.
|
||||
|
||||
.. include:: upgrading-from-1.rst
|
||||
.. include:: get-from-git.rst
|
||||
.. include:: upgrading-from-2.rst
|
||||
|
||||
|
||||
|
||||
@ -17,6 +17,8 @@ Bugzilla installation (which we will assume is in a directory called
|
||||
:file:`bugzilla`).
|
||||
|
||||
.. |diffcommand| replace:: :command:`diff -u > patch.diff`
|
||||
.. |extstatusinfo| replace:: With no SCM to help you, you will have to work out by hand which extensions came with Bugzilla and which you added.
|
||||
.. |extstatusinfo| replace:: With no SCM to help you, you will have to
|
||||
work out by hand which extensions came with
|
||||
Bugzilla and which you added.
|
||||
|
||||
.. include:: upgrading-from-2.rst
|
||||
|
||||
@ -16,7 +16,7 @@ for you.
|
||||
to trial the upgrade on a development server first, using a copy of the
|
||||
production data and configuration.
|
||||
|
||||
In the commands below, :command:`$BUGZILLA_HOME` represents the directory
|
||||
In the commands below, ``$BUGZILLA_HOME`` represents the directory
|
||||
in which Bugzilla is installed.
|
||||
|
||||
.. _upgrade-before:
|
||||
@ -40,7 +40,7 @@ steps to take:
|
||||
possible that you may experience problems during your upgrade.
|
||||
|
||||
#. Shut down your Bugzilla installation by putting some explanatory text
|
||||
in the :guilabel:`shutdownhtml` parameter.
|
||||
in the :param:`shutdownhtml` parameter.
|
||||
|
||||
#. Make all necessary :ref:`backups`.
|
||||
*THIS IS VERY IMPORTANT*. If anything goes wrong during the upgrade,
|
||||
@ -107,7 +107,7 @@ Finishing The Upgrade
|
||||
=====================
|
||||
|
||||
#. Reactivate Bugzilla by clear the text that you put into the
|
||||
:guilabel:`shutdownhtml` parameter.
|
||||
:param:`shutdownhtml` parameter.
|
||||
|
||||
#. Run a :ref:`sanity-check` on your
|
||||
upgraded Bugzilla. It is recommended that you fix any problems
|
||||
|
||||
@ -31,7 +31,7 @@ field; Bugzilla will convert it into an attachment. This is pretty useful
|
||||
when you are copying and pasting, to avoid the extra step of saving the text
|
||||
in a temporary file.
|
||||
|
||||
.. _flags:
|
||||
.. _editing-flags:
|
||||
|
||||
Flags
|
||||
=====
|
||||
|
||||
@ -55,7 +55,7 @@ values. If none is selected, then the field can take any value.
|
||||
After a search is run, you can save it as a Saved Search, which
|
||||
will appear in the page footer. If you are in the group defined
|
||||
by the "querysharegroup" parameter, you may share your queries
|
||||
with other users, see :ref:`savedsearches` for more details.
|
||||
with other users, see :ref:`saved-searches` for more details.
|
||||
|
||||
.. _custom-search:
|
||||
|
||||
|
||||
@ -98,7 +98,7 @@ Saved Searches
|
||||
|
||||
On this tab you can view and run any Saved Searches that you have
|
||||
created, and also any Saved Searches that other members of the group
|
||||
defined in the :guilabel:`querysharegroup` parameter have shared.
|
||||
defined in the :param:`querysharegroup` parameter have shared.
|
||||
Saved Searches can be added to the page footer from this screen.
|
||||
If somebody is sharing a Search with a group she or he is allowed to
|
||||
:ref:`assign users to <groups>`, the sharer may opt to have
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
Voting
|
||||
######
|
||||
|
||||
To enable the Voting exteion, you must remove the :file:`disabled`
|
||||
To enable the Voting extension, you must remove the :file:`disabled`
|
||||
file from the directory :file:`extensions/Voting/`, and run
|
||||
:file:`checksetup.pl`.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user