3fe9f8b52c
No text version of The Bugzilla Guide availabe yet, however. git-svn-id: svn://10.0.0.236/trunk@88928 18797224-902f-48f8-a5cc-f745e15eee43
299 lines
6.4 KiB
HTML
299 lines
6.4 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bugzilla Security</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="The Bugzilla Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Administering Bugzilla"
|
|
HREF="administration.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Product, Component, Milestone, and Version Administration"
|
|
HREF="programadmin.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Using Bugzilla"
|
|
HREF="using.html"></HEAD
|
|
><BODY
|
|
CLASS="SECTION"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Bugzilla Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="programadmin.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 3. Administering Bugzilla</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="using.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECTION"
|
|
><H1
|
|
CLASS="SECTION"
|
|
><A
|
|
NAME="SECURITY"
|
|
>3.4. Bugzilla Security</A
|
|
></H1
|
|
><TABLE
|
|
BORDER="0"
|
|
WIDTH="100%"
|
|
CELLSPACING="0"
|
|
CELLPADDING="0"
|
|
CLASS="EPIGRAPH"
|
|
><TR
|
|
><TD
|
|
WIDTH="45%"
|
|
> </TD
|
|
><TD
|
|
WIDTH="45%"
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><I
|
|
><P
|
|
><I
|
|
>Putting your money in a wall safe is better protection than depending on the fact that
|
|
no one knows that you hide your money in a mayonnaise jar in your fridge.</I
|
|
></P
|
|
></I
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
> Poorly-configured MySQL, Bugzilla, and FTP installations have given attackers full
|
|
access to systems in the past. Please take these guidelines seriously, even
|
|
for Bugzilla machines hidden away behind your firewall. 80% of all computer
|
|
trespassers are insiders, not anonymous crackers.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> First thing's first: Secure your installation.
|
|
<DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
> These instructions must, of necessity, be somewhat vague since Bugzilla runs on so many different
|
|
platforms. If you have refinements of these directions for specific platforms, please
|
|
submit them to <A
|
|
HREF="mailto://mozilla-webtools@mozilla.org"
|
|
TARGET="_top"
|
|
>mozilla-webtools@mozilla.org</A
|
|
>
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
<P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Ensure you are running at least MysQL version 3.22.32 or newer. Earlier versions had
|
|
notable security holes and poorly secured default configuration choices.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
><EM
|
|
>There is no substitute for understanding the tools on your system!</EM
|
|
>
|
|
Read <A
|
|
HREF="http://www.mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html"
|
|
TARGET="_top"
|
|
> The MySQL Privelege System</A
|
|
> until you can recite it from memory!</P
|
|
><P
|
|
> At the very least, ensure you password the "mysql -u root" account and the "bugs" account, establish grant
|
|
table rights (consult the Keystone guide in Appendix C: The Bugzilla Database for some easy-to-use details)
|
|
that do not allow CREATE, DROP, RELOAD, SHUTDOWN, and PROCESS for user "bugs". I wrote up the Keystone
|
|
advice back when I knew far less about security than I do now : )
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Lock down /etc/inetd.conf. Heck, disable inet entirely on this box. It should only listen to
|
|
port 25 for Sendmail
|
|
and port 80 for Apache.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Do not run Apache as "nobody". This will require very lax permissions in your Bugzilla directories.
|
|
Run it, instead, as a user with a name, set via your httpd.conf file.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Ensure you have adequate access controls for $BUGZILLA_HOME/data/ and $BUGZILLA_HOME/localconfig.
|
|
The localconfig file stores your "bugs" user password, which would be terrible to have in the hands
|
|
of a criminal. Also some files under $BUGZILLA_HOME/data store sensitive information.
|
|
</P
|
|
><P
|
|
> On Apache, you can use .htaccess files to protect access to these directories, as outlined
|
|
in <A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161"
|
|
TARGET="_top"
|
|
>Bug 57161</A
|
|
> for the
|
|
localconfig file, and <A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"
|
|
TARGET="_top"
|
|
> Bug 65572</A
|
|
> for adequate protection in your data/ and shadow/ directories.
|
|
</P
|
|
><P
|
|
> Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other
|
|
non-Apache web servers, please consult your system documentation for how to secure these
|
|
files from being transmitted to curious users.
|
|
</P
|
|
><P
|
|
> Place the following text into a file named ".htaccess", readable by your web server,
|
|
in your $BUGZILLA_HOME/data directory.
|
|
<P
|
|
CLASS="LITERALLAYOUT"
|
|
> <Files comments><br>
|
|
allow from all<br>
|
|
</Files><br>
|
|
deny from all<br>
|
|
</P
|
|
>
|
|
</P
|
|
><P
|
|
> Place the following text into a file named ".htaccess", readable by your web server,
|
|
in your $BUGZILLA_HOME/ directory.
|
|
<P
|
|
CLASS="LITERALLAYOUT"
|
|
> <Files localconfig><br>
|
|
deny from all<br>
|
|
</Files><br>
|
|
allow from all<br>
|
|
</P
|
|
>
|
|
</P
|
|
><P
|
|
> Place the following text into a file named ".htaccess", readable by your web server,
|
|
in your $BUGZILLA_HOME/shadow directory.
|
|
<P
|
|
CLASS="LITERALLAYOUT"
|
|
> deny from all<br>
|
|
</P
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="programadmin.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="using.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Product, Component, Milestone, and Version Administration</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="administration.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Using Bugzilla</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |