Bug 140355 - warn the user about not using a webserver group

r=gerv, justdave

Bug 140355 - warn the user about not using a webserver group
5b38103b · bbaetz%student.usyd.edu.au · d436d903 · 5b38103b
Commit 5b38103b authored Apr 04, 2008 by bbaetz%student.usyd.edu.au
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

administration.xml docs/en/xml/administration.xml +13 -0

No files found.
--- a/docs/en/xml/administration.xml
+++ b/docs/en/xml/administration.xml
@@ -1367,6 +1367,19 @@ Group3, since he isn't in Group4.
 	    </para>
 	  </note>
      <para>
+        When you run checksetup.pl, the script will attempt to modify various
+        permissions on files which Bugzilla uses. If you do not have a
+        webservergroup set in the localconfig file, then Bugzilla will have to
+        make certain files world readable and/or writable. <emphasis>THIS IS
+        INSECURE!</emphasis>. This means that anyone who can get access to
+        your system can do whatever they want to your Bugzilla installation.
+        <note>
+          This also means that if your webserver runs all cgi scripts as the
+          same user/group, anyone on the system who can run cgi scripts will
+          be able to take control of your Bugzilla installation.
+        </note>
+      </para>
+	  <para>
 	    On Apache, you can use .htaccess files to protect access
 	    to these directories, as outlined in <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=57161">Bug 57161</ulink> for the localconfig file, and <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=65572"> Bug 65572</ulink> for adequate protection in your data/ and shadow/ directories.
 	  </para>