Skip to content

bugzilla
bugzilla
Commit d747fb6f authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 510496: Recommend the admin to run mysql_secure_installation rather than…

Bug 510496: Recommend the admin to run mysql_secure_installation rather than playing with command lines - Patch by Fré©ric Buclin <LpSolit@gmail.com> r=dkl
parent 9ced0509
Hide whitespace changes
Inline Side-by-side
Showing with 23 additions and 99 deletions
docs/en/xml/glossary.xml
View file @ d747fb6f
......@@ -306,8 +306,7 @@
<varlistentry>
<term><ulink url="http://www.mysql.com/doc/en/Privilege_system.html">Privilege System</ulink></term>
<listitem>
<para>Much more detailed information about the suggestions in
<xref linkend="security-mysql"/>.
<para>Information about how to protect your MySQL server.
</para>
</listitem>
</varlistentry>
......
docs/en/xml/installation.xml
View file @ d747fb6f
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
<!-- $Id: installation.xml,v 1.170 2009/08/13 21:43:13 lpsolit%gmail.com Exp $ -->
<!-- $Id: installation.xml,v 1.171 2009/08/18 11:01:17 lpsolit%gmail.com Exp $ -->
<chapter id="installing-bugzilla">
<title>Installing Bugzilla</title>
......@@ -735,9 +735,23 @@
<caution>
<para>
MySQL's default configuration is very insecure.
<xref linkend="security-mysql"/> has some good information for
improving your installation's security.
MySQL's default configuration is insecure.
We highly recommend to run <filename>mysql_secure_installation</filename>
on Linux or the MySQL installer on Windows, and follow the instructions.
Important points to note are:
<orderedlist>
<listitem>
<para>Be sure that the root account has a secure password set.</para>
</listitem>
<listitem>
<para>Do not create an anonymous account, and if it exists, say "yes"
to remove it.</para>
</listitem>
<listitem>
<para>If your web server and MySQL server are on the same machine,
you should disable the network access.</para>
</listitem>
</orderedlist>
</para>
</caution>
......@@ -745,11 +759,11 @@
<title>Allow large attachments and many comments</title>
<para>By default, MySQL will only allow you to insert things
into the database that are smaller than 64KB. Attachments
into the database that are smaller than 1MB. Attachments
may be larger than this. Also, Bugzilla combines all comments
on a single bug into one field for full-text searching, and the
combination of all comments on a single bug are very likely to
be larger than 64KB.</para>
combination of all comments on a single bug could in some cases
be larger than 1MB.</para>
<para>To change MySQL's default, you need to edit your MySQL
configuration file, which is usually <filename>/etc/my.cnf</filename>
......
docs/en/xml/security.xml
View file @ d747fb6f
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
<!-- $Id: security.xml,v 1.19 2008/05/21 00:01:04 lpsolit%gmail.com Exp $ -->
<!-- $Id: security.xml,v 1.20 2009/08/18 11:01:18 lpsolit%gmail.com Exp $ -->
<chapter id="security">
<title>Bugzilla Security</title>
......@@ -80,96 +80,7 @@
</section>
</section>
<section id="security-mysql">
<title>MySQL</title>
<section id="security-mysql-account">
<title>The MySQL System Account</title>
<para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL
daemon should run as a non-privileged, unique user. Be sure to consult
the MySQL documentation or the documentation that came with your system
for instructions.
</para>
</section>
<section id="security-mysql-root">
<title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title>
<para>By default, MySQL comes with a <quote>root</quote> user with a
blank password and an <quote>anonymous</quote> user, also with a blank
password. In order to protect your data, the <quote>root</quote> user
should be given a password and the anonymous user should be disabled.
</para>
<example id="security-mysql-account-root">
<title>Assigning the MySQL <quote>root</quote> User a Password</title>
<screen>
<prompt>bash$</prompt> mysql mysql
<prompt>mysql&gt;</prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
</screen>
</example>
<example id="security-mysql-account-anonymous">
<title>Disabling the MySQL <quote>anonymous</quote> User</title>
<screen>
<prompt>bash$</prompt> mysql -u root -p mysql <co id="security-mysql-account-anonymous-mysql"/>
<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable>
<prompt>mysql&gt;</prompt> DELETE FROM user WHERE user = '';
<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
</screen>
<calloutlist>
<callout arearefs="security-mysql-account-anonymous-mysql">
<para>This command assumes that you have already completed
<xref linkend="security-mysql-account-root"/>.
</para>
</callout>
</calloutlist>
</example>
</section>
<section id="security-mysql-network">
<title>Network Access</title>
<para>If MySQL and your web server both run on the same machine and you
have no other reason to access MySQL remotely, then you should disable
the network access. This, along with the suggestion in
<xref linkend="security-os-ports"/>, will help protect your system from
any remote vulnerabilities in MySQL.
</para>
<example id="security-mysql-network-ex">
<title>Disabling Networking in MySQL</title>
<para>Simply enter the following in <filename>/etc/my.cnf</filename>:
<screen>
[mysqld]
# Prevent network access to MySQL.
skip-networking
</screen>
</para>
</example>
</section>
<!-- For possible addition in the future: How to better control the bugs user
<section id="security-mysql-bugs">
<title>The bugs User</title>
</section>
-->
</section>
<section id="security-webserver">
<title>Web server</title>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment