Bug 510496: Recommend the admin to run mysql_secure_installation rather than playing with command lines - Patch by Frédéric Buclin <LpSolit@gmail.com> r=dkl

3 files changed, 23 insertions, 99 deletions

diff --git a/docs/en/xml/glossary.xml b/docs/en/xml/glossary.xml
index 5b6d1a6e7..127b94038 100644
--- a/docs/en/xml/glossary.xml
+++ b/docs/en/xml/glossary.xml
@@ -306,8 +306,7 @@
           <varlistentry>
             <term><ulink url="http://www.mysql.com/doc/en/Privilege_system.html">Privilege System</ulink></term>
             <listitem>
-              <para>Much more detailed information about the suggestions in
-              <xref linkend="security-mysql"/>.
+              <para>Information about how to protect your MySQL server.
               </para>
             </listitem>
           </varlistentry>
diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml
index c14e69819..7ae08a5a8 100644
--- a/docs/en/xml/installation.xml
+++ b/docs/en/xml/installation.xml
@@ -1,5 +1,5 @@
 <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: installation.xml,v 1.170 2009/08/13 21:43:13 lpsolit%gmail.com Exp $ -->
+<!-- $Id: installation.xml,v 1.171 2009/08/18 11:01:17 lpsolit%gmail.com Exp $ -->
 <chapter id="installing-bugzilla">
   <title>Installing Bugzilla</title>
 
@@ -735,9 +735,23 @@
 
         <caution>
           <para>
-            MySQL's default configuration is very insecure.
-            <xref linkend="security-mysql"/> has some good information for
-            improving your installation's security.
+            MySQL's default configuration is insecure.
+            We highly recommend to run <filename>mysql_secure_installation</filename>
+            on Linux or the MySQL installer on Windows, and follow the instructions.
+            Important points to note are:
+            <orderedlist>
+              <listitem>
+                <para>Be sure that the root account has a secure password set.</para>
+              </listitem>
+              <listitem>
+                <para>Do not create an anonymous account, and if it exists, say "yes"
+                to remove it.</para>
+              </listitem>
+              <listitem>
+                <para>If your web server and MySQL server are on the same machine,
+                you should disable the network access.</para>
+              </listitem>
+            </orderedlist>
           </para>
         </caution>
  
@@ -745,11 +759,11 @@
           <title>Allow large attachments and many comments</title>
           
           <para>By default, MySQL will only allow you to insert things
-          into the database that are smaller than 64KB. Attachments
+          into the database that are smaller than 1MB. Attachments
           may be larger than this. Also, Bugzilla combines all comments
           on a single bug into one field for full-text searching, and the
-          combination of all comments on a single bug are very likely to
-          be larger than 64KB.</para>
+          combination of all comments on a single bug could in some cases
+          be larger than 1MB.</para>
           
           <para>To change MySQL's default, you need to edit your MySQL
           configuration file, which is usually <filename>/etc/my.cnf</filename>
diff --git a/docs/en/xml/security.xml b/docs/en/xml/security.xml
index f1835a333..61bc5b179 100644
--- a/docs/en/xml/security.xml
+++ b/docs/en/xml/security.xml
@@ -1,5 +1,5 @@
 <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: security.xml,v 1.19 2008/05/21 00:01:04 lpsolit%gmail.com Exp $ -->
+<!-- $Id: security.xml,v 1.20 2009/08/18 11:01:18 lpsolit%gmail.com Exp $ -->
 
 <chapter id="security">
 <title>Bugzilla Security</title>
@@ -80,96 +80,7 @@
     </section>
   
   </section>
-  
-  
-  
-  <section id="security-mysql">
-  <title>MySQL</title>
-  
-    <section id="security-mysql-account">
-    <title>The MySQL System Account</title>
-    
-      <para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL
-      daemon should run as a non-privileged, unique user. Be sure to consult
-      the MySQL documentation or the documentation that came with your system
-      for instructions.
-      </para>
-    </section>
-    
-    <section id="security-mysql-root">
-    <title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title>
-    
-      <para>By default, MySQL comes with a <quote>root</quote> user with a
-      blank password and an <quote>anonymous</quote> user, also with a blank
-      password. In order to protect your data, the <quote>root</quote> user
-      should be given a password and the anonymous user should be disabled.
-      </para>
-      
-      <example id="security-mysql-account-root">
-      <title>Assigning the MySQL <quote>root</quote> User a Password</title>
-      
-        <screen>
-<prompt>bash$</prompt> mysql mysql
-<prompt>mysql&gt;</prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
-<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
-        </screen>
-      </example>
-      
-      <example id="security-mysql-account-anonymous">
-      <title>Disabling the MySQL <quote>anonymous</quote> User</title>
-        <screen>
-<prompt>bash$</prompt> mysql -u root -p mysql           <co id="security-mysql-account-anonymous-mysql"/>
-<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable>
-<prompt>mysql&gt;</prompt> DELETE FROM user WHERE user = '';
-<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
-        </screen>
-        <calloutlist>
-          <callout arearefs="security-mysql-account-anonymous-mysql">
-            <para>This command assumes that you have already completed
-            <xref linkend="security-mysql-account-root"/>.
-            </para>
-          </callout>
-        </calloutlist>
-      </example>
-          
-    </section>
-    
-    <section id="security-mysql-network">
-    <title>Network Access</title>
-    
-      <para>If MySQL and your web server both run on the same machine and you
-      have no other reason to access MySQL remotely, then you should disable
-      the network access. This, along with the suggestion in
-      <xref linkend="security-os-ports"/>, will help protect your system from
-      any remote vulnerabilities in MySQL.
-      </para>
-      
-      <example id="security-mysql-network-ex">
-      <title>Disabling Networking in MySQL</title>
-      
-        <para>Simply enter the following in <filename>/etc/my.cnf</filename>:
-        <screen>
-[mysqld]
-# Prevent network access to MySQL.
-skip-networking
-        </screen>
-        </para>
-      </example>
-      
-    </section>
-
 
-<!-- For possible addition in the future: How to better control the bugs user
-    <section id="security-mysql-bugs">
-    <title>The bugs User</title>
-    
-    </section>
--->
-  
-  </section>
-  
-  
-  
   <section id="security-webserver">
   <title>Web server</title>