diff options
Diffstat (limited to 'docs/en/rst/security.rst')
-rw-r--r-- | docs/en/rst/security.rst | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/docs/en/rst/security.rst b/docs/en/rst/security.rst new file mode 100644 index 000000000..4813ffe76 --- /dev/null +++ b/docs/en/rst/security.rst @@ -0,0 +1,167 @@ + + +.. _security: + +================= +Bugzilla Security +================= + +While some of the items in this chapter are related to the operating +system Bugzilla is running on or some of the support software required to +run Bugzilla, it is all related to protecting your data. This is not +intended to be a comprehensive guide to securing Linux, Apache, MySQL, or +any other piece of software mentioned. There is no substitute for active +administration and monitoring of a machine. The key to good security is +actually right in the middle of the word: *U R It*. + +While programmers in general always strive to write secure code, +accidents can and do happen. The best approach to security is to always +assume that the program you are working with isn't 100% secure and restrict +its access to other parts of your machine as much as possible. + +.. _security-os: + +Operating System +################ + +.. _security-os-ports: + +TCP/IP Ports +============ + +.. COMMENT: TODO: Get exact number of ports + +The TCP/IP standard defines more than 65,000 ports for sending +and receiving traffic. Of those, Bugzilla needs exactly one to operate +(different configurations and options may require up to 3). You should +audit your server and make sure that you aren't listening on any ports +you don't need to be. It's also highly recommended that the server +Bugzilla resides on, along with any other machines you administer, be +placed behind some kind of firewall. + +.. _security-os-accounts: + +System User Accounts +==================== + +Many daemons, such +as Apache's :file:`httpd` or MySQL's +:file:`mysqld`, run as either ``root`` or +``nobody``. This is even worse on Windows machines where the +majority of services +run as ``SYSTEM``. While running as ``root`` or +``SYSTEM`` introduces obvious security concerns, the +problems introduced by running everything as ``nobody`` may +not be so obvious. Basically, if you run every daemon as +``nobody`` and one of them gets compromised it can +compromise every other daemon running as ``nobody`` on your +machine. For this reason, it is recommended that you create a user +account for each daemon. + +.. note:: You will need to set the ``webservergroup`` option + in :file:`localconfig` to the group your web server runs + as. This will allow :file:`./checksetup.pl` to set file + permissions on Unix systems so that nothing is world-writable. + +.. _security-os-chroot: + +The :file:`chroot` Jail +======================= + +If your system supports it, you may wish to consider running +Bugzilla inside of a :file:`chroot` jail. This option +provides unprecedented security by restricting anything running +inside the jail from accessing any information outside of it. If you +wish to use this option, please consult the documentation that came +with your system. + +.. _security-webserver: + +Web server +########## + +.. _security-webserver-access: + +Disabling Remote Access to Bugzilla Configuration Files +======================================================= + +There are many files that are placed in the Bugzilla directory +area that should not be accessible from the web server. Because of the way +Bugzilla is currently layed out, the list of what should and should not +be accessible is rather complicated. A quick way is to run +:file:`testserver.pl` to check if your web server serves +Bugzilla files as expected. If not, you may want to follow the few +steps below. + +.. tip:: Bugzilla ships with the ability to create :file:`.htaccess` + files that enforce these rules. Instructions for enabling these + directives in Apache can be found in :ref:`http-apache` + +- In the main Bugzilla directory, you should: + - Block: :file:`*.pl`, :file:`*localconfig*` + +- In :file:`data`: + - Block everything + +- In :file:`data/webdot`: + + - If you use a remote webdot server: + + - Block everything + - But allow :file:`*.dot` + only for the remote webdot server + - Otherwise, if you use a local GraphViz: + + - Block everything + - But allow: :file:`*.png`, :file:`*.gif`, :file:`*.jpg`, :file:`*.map` + - And if you don't use any dot: + + - Block everything + +- In :file:`Bugzilla`: + - Block everything + +- In :file:`template`: + - Block everything + +Be sure to test that data that should not be accessed remotely is +properly blocked. Of particular interest is the localconfig file which +contains your database password. Also, be aware that many editors +create temporary and backup files in the working directory and that +those should also not be accessible. For more information, see +`bug 186383 <http://bugzilla.mozilla.org/show_bug.cgi?id=186383>`_ +or +`Bugtraq ID 6501 <http://online.securityfocus.com/bid/6501>`_. +To test, simply run :file:`testserver.pl`, as said above. + +.. tip:: Be sure to check :ref:`http` for instructions + specific to the web server you use. + +.. _security-bugzilla: + +Bugzilla +######## + +.. _security-bugzilla-charset: + +Prevent users injecting malicious Javascript +============================================ + +If you installed Bugzilla version 2.22 or later from scratch, +then the *utf8* parameter is switched on by default. +This makes Bugzilla explicitly set the character encoding, following +`a +CERT advisory <http://www.cert.org/tech_tips/malicious_code_mitigation.html#3>`_ recommending exactly this. +The following therefore does not apply to you; just keep +*utf8* turned on. + +If you've upgraded from an older version, then it may be possible +for a Bugzilla user to take advantage of character set encoding +ambiguities to inject HTML into Bugzilla comments. +This could include malicious scripts. +This is because due to internationalization concerns, we are unable to +turn the *utf8* parameter on by default for upgraded +installations. +Turning it on manually will prevent this problem. + + |