397168f490
I added related information to the Bugzilla Guide, and tacked in a couple of last-minute additions. Also fixed the annoying "Tip: HINT:" thing. git-svn-id: svn://10.0.0.236/trunk@93103 18797224-902f-48f8-a5cc-f745e15eee43
334 lines
8.0 KiB
HTML
334 lines
8.0 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bugzilla Security</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.64
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="The Bugzilla Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Administering Bugzilla"
|
|
HREF="administration.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Product, Component, Milestone, and Version Administration"
|
|
HREF="programadmin.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Using Bugzilla"
|
|
HREF="using.html"></HEAD
|
|
><BODY
|
|
CLASS="SECTION"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Bugzilla Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="programadmin.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 3. Administering Bugzilla</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="using.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECTION"
|
|
><H1
|
|
CLASS="SECTION"
|
|
><A
|
|
NAME="SECURITY"
|
|
>3.4. Bugzilla Security</A
|
|
></H1
|
|
><TABLE
|
|
BORDER="0"
|
|
WIDTH="100%"
|
|
CELLSPACING="0"
|
|
CELLPADDING="0"
|
|
CLASS="EPIGRAPH"
|
|
><TR
|
|
><TD
|
|
WIDTH="45%"
|
|
> </TD
|
|
><TD
|
|
WIDTH="45%"
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><I
|
|
><P
|
|
><I
|
|
>Putting your money in a wall safe is better protection than depending on the fact that
|
|
no one knows that you hide your money in a mayonnaise jar in your fridge.</I
|
|
></P
|
|
></I
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
> Poorly-configured MySQL, Bugzilla, and FTP installations have given attackers full
|
|
access to systems in the past. Please take these guidelines seriously, even
|
|
for Bugzilla machines hidden away behind your firewall. 80% of all computer
|
|
trespassers are insiders, not anonymous crackers.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> First thing's first: Secure your installation.
|
|
<DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
> These instructions must, of necessity, be somewhat vague since Bugzilla runs on so many different
|
|
platforms. If you have refinements of these directions for specific platforms, please
|
|
submit them to <A
|
|
HREF="mailto://mozilla-webtools@mozilla.org"
|
|
TARGET="_top"
|
|
>mozilla-webtools@mozilla.org</A
|
|
>
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
<P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Ensure you are running at least MysQL version 3.22.32 or newer. Earlier versions had
|
|
notable security holes and poorly secured default configuration choices.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
><EM
|
|
>There is no substitute for understanding the tools on your system!</EM
|
|
>
|
|
Read <A
|
|
HREF="http://www.mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html"
|
|
TARGET="_top"
|
|
> The MySQL Privelege System</A
|
|
> until you can recite it from memory!</P
|
|
><P
|
|
> At the very least, ensure you password the "mysql -u root" account and the "bugs" account, establish grant
|
|
table rights (consult the Keystone guide in Appendix C: The Bugzilla Database for some easy-to-use details)
|
|
that do not allow CREATE, DROP, RELOAD, SHUTDOWN, and PROCESS for user "bugs". I wrote up the Keystone
|
|
advice back when I knew far less about security than I do now : )
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Lock down /etc/inetd.conf. Heck, disable inet entirely on this box. It should only listen to
|
|
port 25 for Sendmail
|
|
and port 80 for Apache.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Do not run Apache as "nobody". This will require very lax permissions in your Bugzilla directories.
|
|
Run it, instead, as a user with a name, set via your httpd.conf file.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and
|
|
$BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and
|
|
$BUGZILLA_HOME/globals.pl files.
|
|
The localconfig file stores your "bugs" user password,
|
|
which would be terrible to have in the hands
|
|
of a criminal, while the "globals.pl" stores some default information regarding your
|
|
installation which could aid a system cracker.
|
|
In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and
|
|
$BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure
|
|
these directories and this file, you will expose bug information to those who may not
|
|
be allowed to see it.
|
|
</P
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
> Bugzilla provides default .htaccess files to protect the most common Apache
|
|
installations. However, you should verify these are adequate according to the site-wide
|
|
security policy of your web server, and ensure that the .htaccess files are
|
|
allowed to "override" default permissions set in your Apache configuration files.
|
|
Covering Apache security is beyond the scope of this Guide; please consult the Apache
|
|
documentation for details.
|
|
</P
|
|
><P
|
|
> If you are using a web server that does not support the .htaccess control method,
|
|
<EM
|
|
>you are at risk!</EM
|
|
> After installing, check to see if you can
|
|
view the file "localconfig" in your web browser (ergo:
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/localconfig"
|
|
TARGET="_top"
|
|
> http://bugzilla.mozilla.org/localconfig</A
|
|
>. If you can read the contents of this
|
|
file, your web server has not secured your bugzilla directory properly and you
|
|
must fix this problem before deploying Bugzilla. If, however, it gives you a
|
|
"Forbidden" error, then it probably respects the .htaccess conventions and you
|
|
are good to go.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> On Apache, you can use .htaccess files to protect access to these directories, as outlined
|
|
in <A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161"
|
|
TARGET="_top"
|
|
>Bug 57161</A
|
|
> for the
|
|
localconfig file, and <A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"
|
|
TARGET="_top"
|
|
> Bug 65572</A
|
|
> for adequate protection in your data/ and shadow/ directories.
|
|
</P
|
|
><P
|
|
> Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other
|
|
non-Apache web servers, please consult your system documentation for how to secure these
|
|
files from being transmitted to curious users.
|
|
</P
|
|
><P
|
|
> Place the following text into a file named ".htaccess", readable by your web server,
|
|
in your $BUGZILLA_HOME/data directory.
|
|
<P
|
|
CLASS="LITERALLAYOUT"
|
|
> <Files comments><br>
|
|
allow from all<br>
|
|
</Files><br>
|
|
deny from all<br>
|
|
</P
|
|
>
|
|
</P
|
|
><P
|
|
> Place the following text into a file named ".htaccess", readable by your web server,
|
|
in your $BUGZILLA_HOME/ directory.
|
|
<P
|
|
CLASS="LITERALLAYOUT"
|
|
> <Files localconfig><br>
|
|
deny from all<br>
|
|
</Files><br>
|
|
allow from all<br>
|
|
</P
|
|
>
|
|
</P
|
|
><P
|
|
> Place the following text into a file named ".htaccess", readable by your web server,
|
|
in your $BUGZILLA_HOME/shadow directory.
|
|
<P
|
|
CLASS="LITERALLAYOUT"
|
|
> deny from all<br>
|
|
</P
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="programadmin.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="using.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Product, Component, Milestone, and Version Administration</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="administration.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Using Bugzilla</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |