From f0324c374c51b61a8615044631337a60eb9a37a8 Mon Sep 17 00:00:00 2001 From: "jake%bugzilla.org" <> Date: Fri, 3 Jan 2003 01:29:23 +0000 Subject: Recomiple the docs for the 2.17.3 release --- docs/html/security.html | 334 +++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 291 insertions(+), 43 deletions(-) (limited to 'docs/html/security.html') diff --git a/docs/html/security.html b/docs/html/security.html index 096a771aa..dc4b5b7c4 100644 --- a/docs/html/security.html +++ b/docs/html/security.html @@ -16,7 +16,7 @@ REL="PREVIOUS" TITLE="Groups and Group Security" HREF="groups.html">

  • Ensure you are running at least MysQL version 3.22.32 or newer. - Earlier versions had notable security holes and (from a security - point of view) poor default configuration choices.

  • There is no substitute for understanding the tools on your system!

  • Lock down /etc/inetd.conf. Heck, disable inet entirely on this - box. It should only listen to port 25 for Sendmail and port 80 for - Apache.

    Lock down /etc/inetd.conf. Heck, disable + inet entirely on this box. It should only listen to port 25 for + Sendmail and port 80 for Apache.

  • Ensure you have adequate access controls for the - $BUGZILLA_HOME/data/ directory, as well as the - $BUGZILLA_HOME/localconfig file. + $BUGZILLA_HOME/data/ directory, as well as the + $BUGZILLA_HOME/localconfig file. The localconfig file stores your "bugs" database account password. In addition, some - files under $BUGZILLA_HOME/data/ store sensitive information. + files under $BUGZILLA_HOME/data/ store sensitive + information.

    Bugzilla provides default .htaccess files to protect the most - common Apache installations. However, you should verify these are - adequate according to the site-wide security policy of your web - server, and ensure that the .htaccess files are allowed to - "override" default permissions set in your Apache configuration - files. Covering Apache security is beyond the scope of this Guide; - please consult the Apache documentation for details.

    Also, beware that some text editors create backup files in the + current working directory so you need to also secure files like + localconfig~. +

    Simply blocking .*localconfig.* + won't work because the QuickSearch feature requires the web browser + to be able to retrieve localconfig.js and + others may be introduced in the future (see + bug + 186383 for more information. +

    Bugzilla provides default .htaccess files + to protect the most common Apache installations. However, you should + verify these are adequate according to the site-wide security policy + of your web server, and ensure that the .htaccess + files are allowed to "override" default permissions set + in your Apache configuration files. Covering Apache security is beyond + the scope of this Guide; please consult the Apache documentation for + details. +

    If you are using a web server that does not support the - .htaccess control method, + .htaccess control method, you are at risk! After installing, check to see if you can view the file - "localconfig" in your web browser (e.g.: + localconfig in your web browser (e.g.:

  • When you run checksetup.pl, the script will attempt to modify various permissions on files which Bugzilla uses. If you do not have - a webservergroup set in the localconfig file, then Bugzilla will have - to make certain files world readable and/or writable. + a webservergroup set in the localconfig file, + then Bugzilla will have to make certain files world readable and/or + writable. THIS IS INSECURE! @@ -307,16 +387,26 @@ VALIGN="TOP" >

    On Apache, you can use .htaccess files to protect access to - these directories, as outlined in +>On Apache, you can use .htaccess files to + protect access to these directories, as outlined in Bugs Bug - 57161 57161 and + 186383 - for the localconfig file, and + for the localconfig file, and - for adequate protection in your data/ directory.

    data/ directory. + Also, don't forget about the template/ and + Bugzilla/ directories and to allow access to the + data/webdot directory for the + 192.20.225.10 IP address if you are + using webdot from research.att.com. The easiest way to + accomplish this is to set $create_htaccess to 1 + in localconfig. However, the information below + is provided for those that want to know exactly what is created. +

    Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other non-Apache web servers, please consult your system documentation for how to secure these files from being transmitted to curious users.

    Place the following text into a file named ".htaccess", - readable by your web server, in your $BUGZILLA_HOME/data directory. -

    <Files comments> allow from all </Files>
    -        deny from all

    $BUGZILLA_HOME/.htaccess + 
    
# don't allow people to retrieve non-cgi executable files or our private data
+<FilesMatch ^(.*\.pl|.*localconfig.*|processmail|runtests.sh)$>
+  deny from all
+</FilesMatch>
+<FilesMatch ^(localconfig.js|localconfig.rdf)$>
+  allow from all
+</FilesMatch>
+
    +

    $BUGZILLA_HOME/data/.htaccess + 
    
# nothing in this directory is retrievable unless overriden by an .htaccess
+# in a subdirectory; the only exception is duplicates.rdf, which is used by
+# duplicates.xul and must be loadable over the web
+deny from all
+<Files duplicates.rdf>
+  allow from all
+</Files>
+

    Place the following text into a file named ".htaccess", - readable by your web server, in your $BUGZILLA_HOME/ directory. -

    <Files localconfig> deny from all </Files>
    -        allow from all

    $BUGZILLA_HOME/data/webdot + 
    
# Restrict access to .dot files to the public webdot server at research.att.com 
+# if research.att.com ever changed their IP, or if you use a different
+# webdot server, you'll need to edit this
+<FilesMatch ^[0-9]+\.dot$>
+  Allow from 192.20.225.10
+  Deny from all
+</FilesMatch>
+
+# Allow access by a local copy of 'dot' to .png, .gif, .jpg, and
+# .map files
+<FilesMatch ^[0-9]+\.(png|gif|jpg|map)$>
+  Allow from all
+</FilesMatch>
+
+# And no directory listings, either.
+Deny from all
+

    $BUGZILLA_HOME/Bugzilla/.htaccess + 
    
# nothing in this directory is retrievable unless overriden by an .htaccess
+# in a subdirectory
+deny from all
+
    +

    $BUGZILLA_HOME/template/.htaccess + 
    
# nothing in this directory is retrievable unless overriden by an .htaccess
+# in a subdirectory
+deny from all
+
    +

    • @@ -411,7 +659,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Template CustomisationTemplate Customization