diff options
Diffstat (limited to 'docs/html/security.html')
| -rw-r--r-- | docs/html/security.html | 334 |
1 files changed, 0 insertions, 334 deletions
diff --git a/docs/html/security.html b/docs/html/security.html deleted file mode 100644 index e1ca3631d..000000000 --- a/docs/html/security.html +++ /dev/null @@ -1,334 +0,0 @@ -<HTML -><HEAD -><TITLE ->Bugzilla Security</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.64 -"><LINK -REL="HOME" -TITLE="The Bugzilla Guide" -HREF="index.html"><LINK -REL="UP" -TITLE="Administering Bugzilla" -HREF="administration.html"><LINK -REL="PREVIOUS" -TITLE="Product, Component, Milestone, and Version Administration" -HREF="programadmin.html"><LINK -REL="NEXT" -TITLE="Using Bugzilla" -HREF="using.html"></HEAD -><BODY -CLASS="SECTION" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->The Bugzilla Guide</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="programadmin.html" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" ->Chapter 3. Administering Bugzilla</TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="using.html" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="SECTION" -><H1 -CLASS="SECTION" -><A -NAME="SECURITY" ->3.4. Bugzilla Security</A -></H1 -><TABLE -BORDER="0" -WIDTH="100%" -CELLSPACING="0" -CELLPADDING="0" -CLASS="EPIGRAPH" -><TR -><TD -WIDTH="45%" -> </TD -><TD -WIDTH="45%" -ALIGN="LEFT" -VALIGN="TOP" -><I -><P -><I ->Putting your money in a wall safe is better protection than depending on the fact that - no one knows that you hide your money in a mayonnaise jar in your fridge.</I -></P -></I -></TD -></TR -></TABLE -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> Poorly-configured MySQL, Bugzilla, and FTP installations have given attackers full - access to systems in the past. Please take these guidelines seriously, even - for Bugzilla machines hidden away behind your firewall. 80% of all computer - trespassers are insiders, not anonymous crackers. - </P -></BLOCKQUOTE -></DIV -><P -> First thing's first: Secure your installation. - <DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> These instructions must, of necessity, be somewhat vague since Bugzilla runs on so many different - platforms. If you have refinements of these directions for specific platforms, please - submit them to <A -HREF="mailto://mozilla-webtools@mozilla.org" -TARGET="_top" ->mozilla-webtools@mozilla.org</A -> - </P -></BLOCKQUOTE -></DIV -> - <P -></P -><OL -TYPE="1" -><LI -><P -> Ensure you are running at least MysQL version 3.22.32 or newer. Earlier versions had - notable security holes and poorly secured default configuration choices. - </P -></LI -><LI -><P -><EM ->There is no substitute for understanding the tools on your system!</EM -> - Read <A -HREF="http://www.mysql.com/documentation/mysql/bychapter/manual_Privilege_system.html" -TARGET="_top" -> The MySQL Privelege System</A -> until you can recite it from memory!</P -><P -> At the very least, ensure you password the "mysql -u root" account and the "bugs" account, establish grant - table rights (consult the Keystone guide in Appendix C: The Bugzilla Database for some easy-to-use details) - that do not allow CREATE, DROP, RELOAD, SHUTDOWN, and PROCESS for user "bugs". I wrote up the Keystone - advice back when I knew far less about security than I do now : ) - </P -></LI -><LI -><P -> Lock down /etc/inetd.conf. Heck, disable inet entirely on this box. It should only listen to - port 25 for Sendmail - and port 80 for Apache. - </P -></LI -><LI -><P ->Do not run Apache as "nobody". This will require very lax permissions in your Bugzilla directories. - Run it, instead, as a user with a name, set via your httpd.conf file.</P -></LI -><LI -><P -> Ensure you have adequate access controls for the $BUGZILLA_HOME/data/ and - $BUGZILLA_HOME/shadow/ directories, as well as the $BUGZILLA_HOME/localconfig and - $BUGZILLA_HOME/globals.pl files. - The localconfig file stores your "bugs" user password, - which would be terrible to have in the hands - of a criminal, while the "globals.pl" stores some default information regarding your - installation which could aid a system cracker. - In addition, some files under $BUGZILLA_HOME/data/ store sensitive information, and - $BUGZILLA_HOME/shadow/ stores bug information for faster retrieval. If you fail to secure - these directories and this file, you will expose bug information to those who may not - be allowed to see it. - </P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B -> Bugzilla provides default .htaccess files to protect the most common Apache - installations. However, you should verify these are adequate according to the site-wide - security policy of your web server, and ensure that the .htaccess files are - allowed to "override" default permissions set in your Apache configuration files. - Covering Apache security is beyond the scope of this Guide; please consult the Apache - documentation for details. - </P -><P -> If you are using a web server that does not support the .htaccess control method, - <EM ->you are at risk!</EM -> After installing, check to see if you can - view the file "localconfig" in your web browser (ergo: - <A -HREF="http://bugzilla.mozilla.org/localconfig" -TARGET="_top" -> http://bugzilla.mozilla.org/localconfig</A ->. If you can read the contents of this - file, your web server has not secured your bugzilla directory properly and you - must fix this problem before deploying Bugzilla. If, however, it gives you a - "Forbidden" error, then it probably respects the .htaccess conventions and you - are good to go. - </P -></BLOCKQUOTE -></DIV -><P -> On Apache, you can use .htaccess files to protect access to these directories, as outlined - in <A -HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161" -TARGET="_top" ->Bug 57161</A -> for the - localconfig file, and <A -HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572" -TARGET="_top" -> Bug 65572</A -> for adequate protection in your data/ and shadow/ directories. - </P -><P -> Note the instructions which follow are Apache-specific. If you use IIS, Netscape, or other - non-Apache web servers, please consult your system documentation for how to secure these - files from being transmitted to curious users. - </P -><P -> Place the following text into a file named ".htaccess", readable by your web server, - in your $BUGZILLA_HOME/data directory. - <P -CLASS="LITERALLAYOUT" -> <Files comments><br> - allow from all<br> - </Files><br> - deny from all<br> - </P -> - </P -><P -> Place the following text into a file named ".htaccess", readable by your web server, - in your $BUGZILLA_HOME/ directory. - <P -CLASS="LITERALLAYOUT" -> <Files localconfig><br> - deny from all<br> - </Files><br> - allow from all<br> - </P -> - </P -><P -> Place the following text into a file named ".htaccess", readable by your web server, - in your $BUGZILLA_HOME/shadow directory. - <P -CLASS="LITERALLAYOUT" -> deny from all<br> - </P -> - </P -></LI -></OL -> - </P -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="programadmin.html" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="index.html" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="using.html" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Product, Component, Milestone, and Version Administration</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="administration.html" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Using Bugzilla</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file |