diff options
Diffstat (limited to 'docs/en/xml/installation.xml')
-rw-r--r-- | docs/en/xml/installation.xml | 284 |
1 files changed, 15 insertions, 269 deletions
diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml index 09586d326..ab7600432 100644 --- a/docs/en/xml/installation.xml +++ b/docs/en/xml/installation.xml @@ -1,5 +1,5 @@ <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> -<!-- $Id: installation.xml,v 1.81 2008/04/04 06:47:11 jocuri%softhome.net Exp $ --> +<!-- $Id: installation.xml,v 1.82 2008/04/04 06:47:12 jake%bugzilla.org Exp $ --> <chapter id="installing-bugzilla"> <title>Installing Bugzilla</title> @@ -520,7 +520,8 @@ <para>Poorly-configured MySQL and Bugzilla installations have given attackers full access to systems in the past. Please take the security parts of these guidelines seriously, even for Bugzilla - machines hidden away behind your firewall.</para> + machines hidden away behind your firewall. Be certain to read + <xref linkend="security"/> for some important security tips.</para> </warning> <section id="localconfig"> @@ -560,70 +561,13 @@ <section id="mysql"> <title>MySQL</title> - <section id="security-mysql"> - <title>Security</title> - - <para>MySQL ships as insecure by default. - It allows anybody to on the local machine full administrative - capabilities without requiring a password; the special - MySQL root account (note: this is <emphasis>not</emphasis> the same as - the system root) also has no password. - Also, many installations default to running - <application>mysqld</application> as the system root. + <caution> + <para>MySQL's default configuration is very insecure. + <xref linkend="security-mysql"/> has some good information for + improving your installation's security. </para> - - <orderedlist> - <listitem> - <para>To disable the anonymous user account - and set a password for the root user, execute the following. The - root user password should be different to the bugs user password - you set in - <filename>localconfig</filename> in the previous section, - and also different to - the password for the system root account on your machine. - </para> - <screen> <prompt>bash$</prompt> mysql mysql - <prompt>mysql></prompt> DELETE FROM user WHERE user = ''; - <prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root'; - <prompt>mysql></prompt> FLUSH PRIVILEGES;</screen> - - <para>From this point forward, to run the - <filename>mysql</filename> command-line client, - you will need to type - <command>mysql -u root -p</command> and enter - <replaceable>new_password</replaceable> when prompted. - </para> - </listitem> - - <listitem> - <para>If you run MySQL on the same machine as your web server, you - should disable remote access to MySQL by adding - the following to your <filename>/etc/my.cnf</filename>: - </para> - <programlisting> [myslqd] - # Prevent network access to MySQL. - skip-networking</programlisting> - </listitem> - - <listitem> - <para>Consult the documentation that came with your system for - information on making <application>mysqld</application> run as an - unprivileged user. - </para> - </listitem> - - <listitem> - <para>For added security, you could also run MySQL, or even all - of Bugzilla - in a chroot jail; however, instructions for doing that are beyond - the scope of this document. - </para> - </listitem> - - </orderedlist> - - </section> - + </caution> + <section id="install-setupdatabase"> <title>Allow large attachments</title> @@ -765,7 +709,10 @@ <section id="http"> <title>Web server</title> <para>Configure your web server according to the instructions in the - appropriate section. The Bugzilla Team recommends Apache. + appropriate section. The Bugzilla Team recommends Apache. No matter + what webserver you choose, make sure that sensitive information is + not remotely available by ensuring that the access controls in + <xref linkend="security-webserver-access"/> are properly applied. </para> <section id="http-apache"> @@ -825,7 +772,7 @@ <para>Also, and this can't be stressed enough, make sure that files such as <filename>localconfig</filename> and your <filename class="directory">data</filename> - directory are secured as described in <xref linkend="security-access"/>. + directory are secured as described in <xref linkend="security-webserver-access"/>. </para> </section> @@ -893,137 +840,6 @@ </note> </section> - <section id="security-access"> - <title>Web Server Access Controls</title> - - <para>Users of Apache can skip this section because - Bugzilla ships with <filename>.htaccess</filename> files which - restrict access in the manner required. - Users of other webservers, read on. - </para> - - <para>There are several files in the Bugzilla directory - that should not be accessible from the web. You need to configure - your webserver so they they aren't. Not doing this may reveal - sensitive information such as database passwords. - </para> - - <itemizedlist spacing="compact"> - <listitem> - <para>In the main Bugzilla directory, you should:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block: - <simplelist type="inline"> - <member><filename>*.pl</filename></member> - <member><filename>*localconfig*</filename></member> - <member><filename>runtests.sh</filename></member> - </simplelist> - </para> - </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>localconfig.js</filename></member> - <member><filename>localconfig.rdf</filename></member> - </simplelist> - </para> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">data</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>duplicates.rdf</filename></member> - </simplelist> - </para> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">data/webdot</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>If you use a remote webdot server:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - <listitem> - <para>But allow - <simplelist type="inline"> - <member><filename>*.dot</filename></member> - </simplelist> - only for the remote webdot server</para> - </listitem> - </itemizedlist> - </listitem> - <listitem> - <para>Otherwise, if you use a local GraphViz:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>*.png</filename></member> - <member><filename>*.gif</filename></member> - <member><filename>*.jpg</filename></member> - <member><filename>*.map</filename></member> - </simplelist> - </para> - </listitem> - </itemizedlist> - </listitem> - <listitem> - <para>And if you don't use any dot:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - </itemizedlist> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">Bugzilla</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">template</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - </itemizedlist> - </listitem> - </itemizedlist> - - <para>You should test to make sure that the files mentioned above are - not accessible from the Internet, especially your - <filename>localconfig</filename> file which contains your database - password. To test, simply point your web browser at the file; for - example, to test mozilla.org's installation, we'd try to access - <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should - get a <errorcode>403</errorcode> <errorname>Forbidden</errorname> - error. - </para> - </section> </section> @@ -1310,75 +1126,6 @@ </section> - <section id="content-type"> - - <title>Prevent users injecting malicious - Javascript</title> - - <para>It is possible for a Bugzilla user to take advantage of character - set encoding ambiguities to inject HTML into Bugzilla comments. This - could include malicious scripts. - Due to internationalization concerns, we are unable to - incorporate by default the code changes suggested by - <ulink - url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"> - the CERT advisory</ulink> on this issue. - If your installation is for an English speaking audience only, making the - change below will prevent this problem. - </para> - - <para>Simply locate the following line in - <filename>Bugzilla/CGI.pm</filename>: - <programlisting>$self->charset('');</programlisting> - and change it to: - <programlisting>$self->charset('ISO-8859-1');</programlisting> - </para> - </section> - - <section id="mod-throttle" - xreflabel="Using mod_throttle to prevent Denial of Service attacks"> - <title> - <filename>mod_throttle</filename></title> - - <para>It is possible for a user, by mistake or on purpose, to access - the database many times in a row which can result in very slow access - speeds for other users. If your Bugzilla installation is experiencing - this problem, you may install the Apache module - <filename>mod_throttle</filename> - which can limit connections by IP address. You may download this module - at - <ulink url="http://www.snert.com/Software/mod_throttle/"/>. - Follow the instructions to install into your Apache install. - <emphasis>This module only functions with the Apache web - server!</emphasis> - The command you need is - <command>ThrottleClientIP</command>. See the - <ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink> - for more information.</para> - </section> - - <section id="security-networking"> - <title>TCP/IP Ports</title> - - <para>A single-box Bugzilla only requires port 80, plus port 25 if - you are using the optional email interface. You should firewall all - other ports and/or disable services listening on them. - </para> - </section> - - <section id="security-daemon"> - <title>Daemon Accounts</title> - - <para>Many daemons, such as Apache's httpd and MySQL's mysqld default to - running as either <quote>root</quote> or <quote>nobody</quote>. Running - as <quote>root</quote> introduces obvious security problems, but the - problems introduced by running everything as <quote>nobody</quote> may - not be so obvious. Basically, if you're running every daemon as - <quote>nobody</quote> and one of them gets compromised, they all get - compromised. For this reason it is recommended that you create a user - account for each daemon. - </para> - </section> <section id="apache-addtype"> <title>Serving Alternate Formats with the right MIME type</title> @@ -1532,7 +1279,7 @@ $smtp->quit; <para>As is the case on Unix based systems, any web server should be able to handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever asked. No matter what web server you choose, be sure - to pay attention to the security notes in <xref linkend="security-access"/>. + to pay attention to the security notes in <xref linkend="security-webserver-access"/>. More information on configuring specific web servers can be found in <xref linkend="http"/>. </para> @@ -2205,4 +1952,3 @@ sgml-shorttag:t sgml-tag-region-if-active:t End: --> - |