Change to update sections 3 and 4, miscellaneous updates.

0f610cfd · barnboy%trilobyte.net · 7246e683 · 0f610cfd
Commit 0f610cfd authored Mar 08, 2001 by barnboy%trilobyte.net
Show whitespace changes
Inline Side-by-side

Showing with 149 additions and 93 deletions

README README +149 -93

No files found.
--- a/README
+++ b/README
@@ -5,11 +5,14 @@ This is Bugzilla.  See <http://www.mozilla.org/bugs/>.
        DISCLAIMER
        ==========
-   This is not very well packaged code.  It's not packaged at all.  Don't
+   Bugzilla is not a package where you can just plop it in a directory,
-come here expecting something you plop in a directory, twiddle a few
+twiddle a few things, and you're off.  Installing Bugzilla assumes you
-things, and you're off and using it.  Work has to be done to get there.  
+know your variant of UNIX or Microsoft Windows well, are familiar with the
-We'd like to get there, but it wasn't clear when that would be, and so we
+command line, and are comfortable compiling and installing a plethora
-decided to let people see it first.
+of third-party utilities.  To install Bugzilla on Win32 requires
+fair Perl proficiency, and if you use a webserver other than Apache you
+should be intimately familiar with the security mechanisms and CGI
+environment thereof.
   Bugzilla has not undergone a complete security review. Security holes
 may exist in the code.  Great care should be taken both in the installation
@@ -17,26 +20,46 @@ and usage of this software.  Carefully consider the implications of
 installing other network services with Bugzilla.
+        ===========
+        CONVENTIONS
+        ===========
+  Throughout this README and "The Bugzilla Guide" in the docs/ folder,
+we use some writing conventions.  Bourne shell prompts are used
+generically to indicate any shell.
+	File Names 					file.extension
+	Directory Names 				directory/
+	Commands to be typed 				<shell> command
+	Prompt of user command under bash shell:	bash$
+	Prompt of root user command under bash shell:	bash#
+	Prompt of user command under tcsh shell:	tcsh$
+	Environment Variables				VARIABLE
+	Emphasized word					*word* 
        ============
        INSTALLATION
        ============
 0. Introduction
-   Installation of bugzilla is pretty straight forward, especially if your
+   Installation of bugzilla is pretty straightforward, particularly if your
 machine already has MySQL and the MySQL-related perl packages installed.
 If those aren't installed yet, then that's the first order of business.  The
 other necessary ingredient is a web server set up to run cgi scripts.
+While using Apache for your webserver is not required, it is recommended.
   Bugzilla has been successfully installed under Solaris, Linux, and
-Windows NT. The peculiarities of installing on Windows NT have not
+Win32. The peculiarities of installing on Win32 (Win98+/NT/2K) are not
-been included in this README; please consult the Bugzilla Guide for
+included in this README; please consult the Bugzilla Guide for more
-detailed Windows NT installation instructions.
+detailed Win32 installation instructions.
  The Bugzilla Guide is contained in the "docs/" folder.  It is available
 in plain text (docs/txt), HTML (docs/html), or SGML source (docs/sgml).
-news://news.mozilla.org/19990913183810.SVTR29939.mta02@onebox.com
 1. Installing the Prerequisites
@@ -50,18 +73,22 @@ news://news.mozilla.org/19990913183810.SVTR29939.mta02@onebox.com
        6. TimeDate Perl module collection
        7. GD perl module (1.8.3)
        8. Chart::Base Perl module (0.99c)
-        9. The web server of your choice
+        9. The web server of your choice.  Apache is recommended.
-   Bugzilla has quite a few prerequisites, but none of them are TCL.
+	For the contrib/bug_email.pl interface, you also need:
-Previous versions required TCL, but it no longer needed (or used).
+	10.  MIME::Parser Perl module
    You must also run Bugzilla on a filesystem that supports file locking via
 flock().  This is necessary for Bugzilla to operate safely with multiple
 instances.
+    It is a good idea, while installing Bugzilla, to ensure it is not
+accessible from the Internet.  The machine may be vulnerable to attacks
+while you are installing. 
 1.1. Getting and setting up MySQL database (3.22.5 or greater)
-   Visit MySQL homepage at http://www.mysql.org and grab the latest stable
+   Visit MySQL homepage at http://www.mysql.org/ and grab the latest stable
 release of the server.  Both binaries and source are available and which
 you get shouldn't matter.  Be aware that many of the binary versions
 of MySQL store their data files in /var which on many installations
@@ -80,6 +107,10 @@ may put on bugs.  If you add something like "-O max_allowed_packet=1M"
 to the command that starts mysqld (or safe_mysqld), then you will be
 able to have attachments up to about 1 megabyte.
+  If you plan on running Bugzilla and MySQL on the same machine,
+consider using the "--skip-networking" option in the init script.
+This enhances security by preventing network access to MySQL.
 1.2. Perl (5.004 or greater)
  Any machine that doesn't have perl on it is a sad machine indeed.  Perl
@@ -94,6 +125,20 @@ a sane install.  In the subsequent sections you'll be installing quite
 a few perl modules; this can be quite ornery if your perl installation
 isn't up to snuff.
+SHORTCUT:  You can skip the following Perl module installation
+steps by installing "Bundle::Bugzilla" from CPAN, which includes them.
+All Perl module installation steps require you have an active Internet
+connection.
+	bash# perl -MCPAN -e 'install "Bundle::Bugzilla"'
+    Bundle::Bugzilla doesn't include GD, Chart::Base, or MIME::Parser,
+which are not essential to a basic Bugzilla install.  If installing
+this bundle fails, you should install each module individually to
+isolate the problem.
 1.3. DBI Perl module
   The DBI module is a generic Perl module used by other database related
@@ -113,7 +158,7 @@ which does all the hard work for you.
 To use the CPAN shell to install DBI:
-               1. Type perl -MCPAN -e 'install "DBI"'
+	bash#  perl -MCPAN -e 'install "DBI"'
 (replace DBI with the name of the module you wish to install, Data::Dumper,
 etc...)
@@ -209,7 +254,8 @@ versions of GD.
   You have a freedom of choice here - Apache, Netscape or any other
 server on UNIX would do.  You can easily run the web server on a different
-machine than MySQL, but that makes MySQL permissions harder to manage.
+machine than MySQL, but need to adjust the MySQL "bugs" user permissions
+accordingly.
   You'll want to make sure that your web server will run any file
 with the .cgi extension as a cgi and not just display it.  If you're using
@@ -231,24 +277,32 @@ access.conf.
 2. Installing the Bugzilla Files
-   You should untar the bugzilla files into a directory that you're
+   You should untar the Bugzilla files into a directory that you're
 willing to make writable by the default web server user (probably
 'nobody').  You may decide to put the files off of the main web space
 for your web server or perhaps off of /usr/local with a symbolic link
 in the web space that points to the bugzilla directory.  At any rate,
 just dump all the files in the same place (optionally omitting the CVS
-directory if it accidentally got tarred up with the rest of bugzilla)
+directories if they were accidentally tarred up with the rest of Bugzilla)
-and make sure you can get at the files in that directory through your
+and make sure you can access the files in that directory through your
 web server.
+HINT:  If you symlink the bugzilla directory into your Apache's
+HTML heirarchy, you may receive "Forbidden" errors unless you
+add the "FollowSymLinks" directive to the <Directory> entry
+for the HTML root.
   Once all the files are in a web accessible directory, make that
 directory writable by your webserver's user (which may require just
-making it world writable).  
+making it world writable).  This is a temporary step until you run
+the post-install "checksetup.pl" script, which locks down your
+installation.
   Lastly, you'll need to set up a symbolic link from /usr/bonsaitools/bin
 to the correct location of your perl executable (probably /usr/bin/perl).
-Or, you'll have to hack all the .cgi files to change where they look
+Otherwise you must hack all the .cgi files to change where they look
-for perl.
+for perl.  To make future upgrades easier, you should use the symlink
+approach.
 3. Setting Up the MySQL database
@@ -256,62 +310,55 @@ for perl.
 to start preparing the database for its life as a the back end to a high
 quality bug tracker.
-    First, you'll want to fix MySQL permissions.  By default, Bugzilla
+    First, you'll want to fix MySQL permissions to allow access from
-logs in as user "bugs", with no password.  That needs to work.  MySQL
+Bugzilla.  For the purpose of this README, the Bugzilla username
-permissions are a deep, nasty complicated thing.  I've just turned
+will be "bugs", and will have minimal permissions.  Bugzilla has
-them off.  If you want to do that, too, then the magic is to do run
+not undergone a thorough security audit.  It may be possible for
-"mysql mysql", and feed it commands like this (replace all instances of
+a system cracker to somehow trick Bugzilla into executing a command
-HOSTNAME with the name of the machine mysql is running on):
+such as "; DROP DATABASE mysql".
-        DELETE FROM host;
+    That would be bad.
-        DELETE FROM user;
-        INSERT INTO host VALUES
+    Give the MySQL root user a password.  MySQL passwords are
-          ('localhost','%','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
+limited to 16 characters.
-        INSERT INTO host VALUES
-          (HOSTNAME,'%','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
+	bash$ mysql -u root mysql
-        INSERT INTO user VALUES
+	mysql> UPDATE user SET Password=PASSWORD ('new_password')
-          ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y',
+	WHERE user='root';
-          'Y','Y','Y','Y','Y');
+	mysql> FLUSH PRIVILEGES;
-        INSERT INTO user VALUES
-          (HOSTNAME,'','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',
+    From this point on, if you need to access MySQL as the
-          'Y','Y','Y');
+MySQL root user, you will need to use "mysql -u root -p" and
-        INSERT INTO user VALUES
+enter your new_password.  Remember that MySQL user names have
-          (HOSTNAME,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',
+nothing to do with Unix user names (login names).
-          'Y','Y','Y','Y');
-        INSERT INTO user VALUES
+    Next, we create the "bugs" user, and grant sufficient
-          ('localhost','','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',
+permissions for checksetup.pl, which we'll use later, to work
-          'Y','Y','Y','Y');
+its magic.  This also restricts the "bugs" user to operations
+within a database called "bugs", and only allows the account
-The number of 'Y' entries to use varies with the version of MySQL; they
+to connect from "localhost".  Modify it to reflect your setup
-keep adding columns.  The list here should work with version 3.22.23b.
+if you will be connecting from another machine or as a different
+user.
-This run of "mysql mysql" may need some extra parameters to deal with
-whatever database permissions were set up previously.  In particular,
+    Remember to set bugs_password to some unique password.
-you might have to say "mysql -uroot mysql", and give it an appropriate
-password.
+	mysql> GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,
+		ALTER,CREATE,DROP,REFERENCES 
-For much more information about MySQL permissions, see the MySQL
+		ON bugs.* TO bugs@localhost
-documentation.
+		IDENTIFIED BY 'bugs_password';
+	mysql> FLUSH PRIVILEGES;
-After you've tweaked the permissions, run "mysqladmin reload" to make
-sure that the database server knows to look at your new permission list.
+Next, run the magic checksetup.pl script.  (Many thanks to Holger
+Schurig <holgerschurig@nikocity.de> for writing this script!)
-Or, at the mysql prompt:
+It will make sure Bugzilla files and directories have reasonable
+permissions, set up the "data" directory, and create all the MySQL
-mysql> flush privileges;
+tables.
-You must explictly tell mysql to reload permissions before running
+        bash$ ./checksetup.pl
-checksetup.pl.
-Next, you can just run the magic checksetup.pl script.  (Many thanks
-to Holger Schurig <holgerschurig@nikocity.de> for writing this script!)
-It will make sure things have reasonable permissions, set up the "data"
-directory, and create all the MySQL tables.  Just run:
-        ./checksetup.pl
   The first time you run it, it will create a file called "localconfig".
 4. Tweaking localconfig
   This file contains a variety of settings you may need to tweak including
@@ -322,18 +369,16 @@ how Bugzilla should connect to the MySQL database.
        1. server's host: just use "localhost" if the MySQL server is
                local
        2. database name: "bugs" if you're following these directions
-        3. MySQL username: whatever you created for your webserver user
+        3. MySQL username: "bugs" if you're following these directions
-        4. Password for the MySQL account in item 3.
+        4. Password for the "bugs" MySQL account in item 3.
   Once you are happy with the settings, re-run checksetup.pl.  On this
-second run, it will do the real work of creating the database.
+second run, it will create the database and an administrator account
+for which you will be prompted to provide information.
-   One thing it will do is to automatically create an administrator account
+   When logged into an administrator account once Bugzilla is running,
-from information it will ask for.
+if you go to the query page (off of the bugzilla main menu), you'll
+find an 'edit parameters' option that is filled with editable treats.
-   When logged into an administrator account, if you go to the query page
-(off of the bugzilla main menu), you'll find an 'edit parameters' option
-that is filled with editable treats.
   Should everything work, you should have a nearly empty copy of the bug
 tracking setup.
@@ -351,11 +396,11 @@ without causing harm.  You should run it after any upgrade to Bugzilla.
 5. Setting Up Maintainers Manually (Optional)
    If you want to add someone else to every group by hand, you can do it
-by typing the appropriate MySQL commands.  Run 'mysql bugs' (you may need
+by typing the appropriate MySQL commands.  Run 'mysql -u root -p bugs'
-extra parameters, depending on your security settings according to
+(you may need different parameters, depending on your security settings
-section 3, above), and type:
+according to section 3, above).  Then:
-        update profiles set groupset=0x7fffffffffffffff
+        mysql> update profiles set groupset=0x7fffffffffffffff
        	where login_name = 'XXX';
 replacing XXX with the Bugzilla email address.
@@ -373,16 +418,22 @@ crontab man page):
 7. Bug Graphs (Optional)
   As long as you installed the GD and Graph::Base Perl modules you might
-as well turn on the nifty bugzilla bug reporting graphs.  Just add
+as well turn on the nifty bugzilla bug reporting graphs.
-the command:
-        cd <your-bugzilla-directory> ; ./collectstats.pl
+	bash# crontab -e
+   Adding this entry runs collectstats daily at 5 after midnight:
+        5 0 * * * cd <your-bugzilla-directory> ; ./collectstats.pl
-as a nightly entry to your crontab and after two days have passed you'll
+After two days have passed you'll be able to view bug graphs from the
-be able to view bug graphs from the Bug Reports page.
+Bug Reports page.
 8. Real security for MySQL
+If you followed the README for setting up your "bugs" and "root" user in
+MySQL, much of this should not apply to you.  If you are upgrading
+an existing installation of Bugzilla, you should pay close attention
+to this section.
 MySQL has "interesting" default security parameters:
        mysqld defaults to running as root
        it defaults to allowing external network connections
@@ -507,5 +558,10 @@ Martin Pool, & Dan Mosedale (But don't send bug reports to them!
 Report them using bugzilla, at http://bugzilla.mozilla.org/enter_bug.cgi ,
 project Webtools, component Bugzilla).
+  This document was heavily modified again Wednesday, March 07 2001 to
+reflect changes for Bugzilla 2.12 release by Matthew P. Barnson.  The
+securing MySQL section should be changed to become standard procedure
+for Bugzilla installations.
   Comments from people using this document for the first time are
 especially welcomed.