зеркало из https://github.com/mozilla/gecko-dev.git
418 строки
8.5 KiB
HTML
418 строки
8.5 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bugzilla Security</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="The Bugzilla Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Administering Bugzilla"
|
|
HREF="administration.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Groups and Group Security"
|
|
HREF="groups.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Template Customisation"
|
|
HREF="cust-templates.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Bugzilla Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="groups.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 5. Administering Bugzilla</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="cust-templates.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="security">5.6. Bugzilla Security</H1
|
|
><DIV
|
|
CLASS="warning"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="warning"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/warning.gif"
|
|
HSPACE="5"
|
|
ALT="Warning"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Poorly-configured MySQL and Bugzilla installations have
|
|
given attackers full access to systems in the past. Please take these
|
|
guidelines seriously, even for Bugzilla machines hidden away behind
|
|
your firewall. 80% of all computer trespassers are insiders, not
|
|
anonymous crackers.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>These instructions must, of necessity, be somewhat vague since
|
|
Bugzilla runs on so many different platforms. If you have refinements
|
|
of these directions for specific platforms, please submit them to
|
|
<A
|
|
HREF="mailto://mozilla-webtools@mozilla.org"
|
|
TARGET="_top"
|
|
> mozilla-webtools@mozilla.org</A
|
|
>
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>To secure your installation:
|
|
|
|
<P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>Ensure you are running at least MysQL version 3.22.32 or newer.
|
|
Earlier versions had notable security holes and (from a security
|
|
point of view) poor default configuration choices.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>There is no substitute for understanding the tools on your
|
|
system!</EM
|
|
>
|
|
|
|
Read
|
|
<A
|
|
HREF="http://www.mysql.com/doc/P/r/Privilege_system.html"
|
|
TARGET="_top"
|
|
> The MySQL Privilege System</A
|
|
>
|
|
until you can recite it from memory!</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Lock down /etc/inetd.conf. Heck, disable inet entirely on this
|
|
box. It should only listen to port 25 for Sendmail and port 80 for
|
|
Apache.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Do not run Apache as
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
>
|
|
|
|
. This will require very lax permissions in your Bugzilla
|
|
directories. Run it, instead, as a user with a name, set via your
|
|
httpd.conf file.
|
|
<DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
>
|
|
|
|
is a real user on UNIX systems. Having a process run as user id
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
>
|
|
|
|
is absolutely no protection against system crackers versus using
|
|
any other user account. As a general security measure, I recommend
|
|
you create unique user ID's for each daemon running on your system
|
|
and, if possible, use "chroot" to jail that process away from the
|
|
rest of your system.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Ensure you have adequate access controls for the
|
|
$BUGZILLA_HOME/data/ directory, as well as the
|
|
$BUGZILLA_HOME/localconfig file.
|
|
The localconfig file stores your "bugs" database account password.
|
|
In addition, some
|
|
files under $BUGZILLA_HOME/data/ store sensitive information.
|
|
</P
|
|
><P
|
|
>Bugzilla provides default .htaccess files to protect the most
|
|
common Apache installations. However, you should verify these are
|
|
adequate according to the site-wide security policy of your web
|
|
server, and ensure that the .htaccess files are allowed to
|
|
"override" default permissions set in your Apache configuration
|
|
files. Covering Apache security is beyond the scope of this Guide;
|
|
please consult the Apache documentation for details.</P
|
|
><P
|
|
>If you are using a web server that does not support the
|
|
.htaccess control method,
|
|
<EM
|
|
>you are at risk!</EM
|
|
>
|
|
|
|
After installing, check to see if you can view the file
|
|
"localconfig" in your web browser (e.g.:
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/localconfig"
|
|
TARGET="_top"
|
|
> http://bugzilla.mozilla.org/localconfig</A
|
|
>
|
|
|
|
). If you can read the contents of this file, your web server has
|
|
not secured your bugzilla directory properly and you must fix this
|
|
problem before deploying Bugzilla. If, however, it gives you a
|
|
"Forbidden" error, then it probably respects the .htaccess
|
|
conventions and you are good to go.</P
|
|
><P
|
|
>When you run checksetup.pl, the script will attempt to modify
|
|
various permissions on files which Bugzilla uses. If you do not have
|
|
a webservergroup set in the localconfig file, then Bugzilla will have
|
|
to make certain files world readable and/or writable.
|
|
<EM
|
|
>THIS IS INSECURE!</EM
|
|
>
|
|
|
|
. This means that anyone who can get access to your system can do
|
|
whatever they want to your Bugzilla installation.</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>This also means that if your webserver runs all cgi scripts
|
|
as the same user/group, anyone on the system who can run cgi
|
|
scripts will be able to take control of your Bugzilla
|
|
installation.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>On Apache, you can use .htaccess files to protect access to
|
|
these directories, as outlined in
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=57161"
|
|
TARGET="_top"
|
|
>Bug
|
|
57161</A
|
|
>
|
|
|
|
for the localconfig file, and
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"
|
|
TARGET="_top"
|
|
>Bug
|
|
65572</A
|
|
>
|
|
|
|
for adequate protection in your data/ directory.</P
|
|
><P
|
|
>Note the instructions which follow are Apache-specific. If you
|
|
use IIS, Netscape, or other non-Apache web servers, please consult
|
|
your system documentation for how to secure these files from being
|
|
transmitted to curious users.</P
|
|
><P
|
|
>Place the following text into a file named ".htaccess",
|
|
readable by your web server, in your $BUGZILLA_HOME/data directory.
|
|
<P
|
|
CLASS="literallayout"
|
|
><Files comments> allow from all </Files><br>
|
|
deny from all</P
|
|
>
|
|
</P
|
|
><P
|
|
>Place the following text into a file named ".htaccess",
|
|
readable by your web server, in your $BUGZILLA_HOME/ directory.
|
|
<P
|
|
CLASS="literallayout"
|
|
><Files localconfig> deny from all </Files><br>
|
|
allow from all</P
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="groups.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="cust-templates.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Groups and Group Security</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="administration.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Template Customisation</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |