Commit d747fb6f authored by lpsolit%gmail.com's avatar lpsolit%gmail.com

Bug 510496: Recommend the admin to run mysql_secure_installation rather than…

Bug 510496: Recommend the admin to run mysql_secure_installation rather than playing with command lines - Patch by Fré©ric Buclin <LpSolit@gmail.com> r=dkl
parent 9ced0509
...@@ -306,8 +306,7 @@ ...@@ -306,8 +306,7 @@
<varlistentry> <varlistentry>
<term><ulink url="http://www.mysql.com/doc/en/Privilege_system.html">Privilege System</ulink></term> <term><ulink url="http://www.mysql.com/doc/en/Privilege_system.html">Privilege System</ulink></term>
<listitem> <listitem>
<para>Much more detailed information about the suggestions in <para>Information about how to protect your MySQL server.
<xref linkend="security-mysql"/>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
<!-- $Id: installation.xml,v 1.170 2009/08/13 21:43:13 lpsolit%gmail.com Exp $ --> <!-- $Id: installation.xml,v 1.171 2009/08/18 11:01:17 lpsolit%gmail.com Exp $ -->
<chapter id="installing-bugzilla"> <chapter id="installing-bugzilla">
<title>Installing Bugzilla</title> <title>Installing Bugzilla</title>
...@@ -735,9 +735,23 @@ ...@@ -735,9 +735,23 @@
<caution> <caution>
<para> <para>
MySQL's default configuration is very insecure. MySQL's default configuration is insecure.
<xref linkend="security-mysql"/> has some good information for We highly recommend to run <filename>mysql_secure_installation</filename>
improving your installation's security. on Linux or the MySQL installer on Windows, and follow the instructions.
Important points to note are:
<orderedlist>
<listitem>
<para>Be sure that the root account has a secure password set.</para>
</listitem>
<listitem>
<para>Do not create an anonymous account, and if it exists, say "yes"
to remove it.</para>
</listitem>
<listitem>
<para>If your web server and MySQL server are on the same machine,
you should disable the network access.</para>
</listitem>
</orderedlist>
</para> </para>
</caution> </caution>
...@@ -745,11 +759,11 @@ ...@@ -745,11 +759,11 @@
<title>Allow large attachments and many comments</title> <title>Allow large attachments and many comments</title>
<para>By default, MySQL will only allow you to insert things <para>By default, MySQL will only allow you to insert things
into the database that are smaller than 64KB. Attachments into the database that are smaller than 1MB. Attachments
may be larger than this. Also, Bugzilla combines all comments may be larger than this. Also, Bugzilla combines all comments
on a single bug into one field for full-text searching, and the on a single bug into one field for full-text searching, and the
combination of all comments on a single bug are very likely to combination of all comments on a single bug could in some cases
be larger than 64KB.</para> be larger than 1MB.</para>
<para>To change MySQL's default, you need to edit your MySQL <para>To change MySQL's default, you need to edit your MySQL
configuration file, which is usually <filename>/etc/my.cnf</filename> configuration file, which is usually <filename>/etc/my.cnf</filename>
......
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
<!-- $Id: security.xml,v 1.19 2008/05/21 00:01:04 lpsolit%gmail.com Exp $ --> <!-- $Id: security.xml,v 1.20 2009/08/18 11:01:18 lpsolit%gmail.com Exp $ -->
<chapter id="security"> <chapter id="security">
<title>Bugzilla Security</title> <title>Bugzilla Security</title>
...@@ -80,96 +80,7 @@ ...@@ -80,96 +80,7 @@
</section> </section>
</section> </section>
<section id="security-mysql">
<title>MySQL</title>
<section id="security-mysql-account">
<title>The MySQL System Account</title>
<para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL
daemon should run as a non-privileged, unique user. Be sure to consult
the MySQL documentation or the documentation that came with your system
for instructions.
</para>
</section>
<section id="security-mysql-root">
<title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title>
<para>By default, MySQL comes with a <quote>root</quote> user with a
blank password and an <quote>anonymous</quote> user, also with a blank
password. In order to protect your data, the <quote>root</quote> user
should be given a password and the anonymous user should be disabled.
</para>
<example id="security-mysql-account-root">
<title>Assigning the MySQL <quote>root</quote> User a Password</title>
<screen>
<prompt>bash$</prompt> mysql mysql
<prompt>mysql&gt;</prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
</screen>
</example>
<example id="security-mysql-account-anonymous">
<title>Disabling the MySQL <quote>anonymous</quote> User</title>
<screen>
<prompt>bash$</prompt> mysql -u root -p mysql <co id="security-mysql-account-anonymous-mysql"/>
<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable>
<prompt>mysql&gt;</prompt> DELETE FROM user WHERE user = '';
<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
</screen>
<calloutlist>
<callout arearefs="security-mysql-account-anonymous-mysql">
<para>This command assumes that you have already completed
<xref linkend="security-mysql-account-root"/>.
</para>
</callout>
</calloutlist>
</example>
</section>
<section id="security-mysql-network">
<title>Network Access</title>
<para>If MySQL and your web server both run on the same machine and you
have no other reason to access MySQL remotely, then you should disable
the network access. This, along with the suggestion in
<xref linkend="security-os-ports"/>, will help protect your system from
any remote vulnerabilities in MySQL.
</para>
<example id="security-mysql-network-ex">
<title>Disabling Networking in MySQL</title>
<para>Simply enter the following in <filename>/etc/my.cnf</filename>:
<screen>
[mysqld]
# Prevent network access to MySQL.
skip-networking
</screen>
</para>
</example>
</section>
<!-- For possible addition in the future: How to better control the bugs user
<section id="security-mysql-bugs">
<title>The bugs User</title>
</section>
-->
</section>
<section id="security-webserver"> <section id="security-webserver">
<title>Web server</title> <title>Web server</title>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment