These instructions must, of necessity, be somewhat vague since - Bugzilla runs on so many different platforms. If you have refinements - of these directions, please submit a bug to Bugzilla Documentation. - |
These instructions must, of necessity, be somewhat vague since - Bugzilla runs on so many different platforms. If you have refinements - of these directions, please submit a bug to Bugzilla Documentation. - |
This is not meant to be a comprehensive list of every possible - security issue regarding the tools mentioned in this section. There is + security issue pertaining to the software mentioned in this section. + There is no subsitute for reading the information written by the authors of any software running on your system. 5.6.1. TCP/IP Ports4.5.1. TCP/IP PortsTCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla - only needs 1... 2 if you need to use features that require e-mail such + only needs 1, or 2 if you need to use features that require e-mail such as bug moving or the e-mail interface from contrib. You should audit your server and make sure that you aren't listening on any ports you don't need to be. You may also wish to use some kind of firewall @@ -193,7 +140,7 @@ CLASS="section" >5.6.2. MySQL4.5.2. MySQL MySQL ships by default with many settings that should be changed. By defaults it allows anybody to connect from localhost without a @@ -322,7 +269,7 @@ CLASS="section" >5.6.3. Daemon Accounts4.5.3. Daemon Accounts Many daemons, such as Apache's httpd and MySQL's mysqld default to running as either "nobody" and one of them gets comprimised, they all get - comprimised. For this reason it is recommended that you create a user +> and one of them gets compromised, they all get + compromised. For this reason it is recommended that you create a user account for each daemon. 5.6.4. Web Server Access Controls4.5.4. Web Server Access Controls There are many files that are placed in the Bugzilla directory area that should not be accessable from the web. Because of the way - Bugzilla is currently layed out, the list of what should and should - not be accessible is rather complicated. A new installation method - is currently in the works which should solve this by allowing files - that shouldn't be accessible from the web to be placed in directory - outside the webroot. See - bug 44659 for more information. + Bugzilla is currently laid out, the list of what should and should + not be accessible is rather complicated. + Users of Apache don't need to worry about this, however, because + Bugzilla ships with .htaccess files which restrict access to all the + sensitive files in this section. Users of other webservers, read on.
You should test to make sure that the files mentioned above are not accessible from the Internet, especially your @@ -706,7 +607,7 @@ VALIGN="TOP" > You should check Section 4.4Section 4.2 to see if instructions have been included for your web server. You should also compare those instructions with this list to make sure everything is properly @@ -734,7 +635,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >Prev | NextGroups and Group SecurityOS Specific Installation NotesUp | Template CustomizationTroubleshooting