<HTML
><HEAD
><TITLE
>Bugzilla Security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="The Bugzilla Guide - 2.17.4 Development Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Administering Bugzilla"
HREF="administration.html"><LINK
REL="PREVIOUS"
TITLE="Groups and Group Security"
HREF="groups.html"><LINK
REL="NEXT"
TITLE="Template Customization"
HREF="cust-templates.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Bugzilla Guide - 2.17.4 Development Release</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="groups.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. Administering Bugzilla</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="cust-templates.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="security"
></A
>5.6. Bugzilla Security</H1
><DIV
CLASS="warning"
><P
></P
><TABLE
CLASS="warning"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Poorly-configured MySQL and Bugzilla installations have
given attackers full access to systems in the past. Please take these
guidelines seriously, even for Bugzilla machines hidden away behind
your firewall. 80% of all computer trespassers are insiders, not
anonymous crackers.</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>These instructions must, of necessity, be somewhat vague since
Bugzilla runs on so many different platforms. If you have refinements
of these directions, please submit a bug to <A
HREF="http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&component=Documentation"
TARGET="_top"
>Bugzilla Documentation</A
>.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="warning"
><P
></P
><TABLE
CLASS="warning"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>This is not meant to be a comprehensive list of every possible
security issue regarding the tools mentioned in this section. There is
no subsitute for reading the information written by the authors of any
software running on your system.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-networking"
></A
>5.6.1. TCP/IP Ports</H2
><P
>TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla
only needs 1... 2 if you need to use features that require e-mail such
as bug moving or the e-mail interface from contrib. You should audit
your server and make sure that you aren't listening on any ports you
don't need to be. You may also wish to use some kind of firewall
software to be sure that trafic can only be recieved on ports you
specify.
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-mysql"
></A
>5.6.2. MySQL</H2
><P
>MySQL ships by default with many settings that should be changed.
By defaults it allows anybody to connect from localhost without a
password and have full administrative capabilities. It also defaults to
not have a root password (this is <EM
>not</EM
> the same as
the system root). Also, many installations default to running
<SPAN
CLASS="application"
>mysqld</SPAN
> as the system root.
</P
><P
></P
><OL
TYPE="1"
><LI
><P
>Consult the documentation that came with your system for
information on making <SPAN
CLASS="application"
>mysqld</SPAN
> run as an
unprivleged user.
</P
></LI
><LI
><P
>You should also be sure to disable the anonymous user account
and set a password for the root user. This is accomplished using the
following commands:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> <TT
CLASS="prompt"
>bash$</TT
> mysql mysql
<TT
CLASS="prompt"
>mysql></TT
> DELETE FROM user WHERE user = '';
<TT
CLASS="prompt"
>mysql></TT
> UPDATE user SET password = password('<TT
CLASS="replaceable"
><I
>new_password</I
></TT
>') WHERE user = 'root';
<TT
CLASS="prompt"
>mysql></TT
> FLUSH PRIVILEGES;
</PRE
></FONT
></TD
></TR
></TABLE
><P
>From this point forward you will need to use
<B
CLASS="command"
>mysql -u root -p</B
> and enter
<TT
CLASS="replaceable"
><I
>new_password</I
></TT
> when prompted when using the
mysql client.
</P
></LI
><LI
><P
>If you run MySQL on the same machine as your httpd server, you
should consider disabling networking from within MySQL by adding
the following to your <TT
CLASS="filename"
>/etc/my.conf</TT
>:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> [myslqd]
# Prevent network access to MySQL.
skip-networking
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>You may also consider running MySQL, or even all of Bugzilla
in a chroot jail; however, instructions for doing that are beyond
the scope of this document.
</P
></LI
></OL
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-daemon"
></A
>5.6.3. Daemon Accounts</H2
><P
>Many daemons, such as Apache's httpd and MySQL's mysqld default to
running as either <SPAN
CLASS="QUOTE"
>"root"</SPAN
> or <SPAN
CLASS="QUOTE"
>"nobody"</SPAN
>. Running
as <SPAN
CLASS="QUOTE"
>"root"</SPAN
> introduces obvious security problems, but the
problems introduced by running everything as <SPAN
CLASS="QUOTE"
>"nobody"</SPAN
> may
not be so obvious. Basically, if you're running every daemon as
<SPAN
CLASS="QUOTE"
>"nobody"</SPAN
> and one of them gets comprimised, they all get
comprimised. For this reason it is recommended that you create a user
account for each daemon.
</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>You will need to set the <TT
CLASS="varname"
>webservergroup</TT
> to
the group you created for your webserver to run as in
<TT
CLASS="filename"
>localconfig</TT
>. This will allow
<B
CLASS="command"
>./checksetup.pl</B
> to better adjust the file
permissions on your Bugzilla install so as to not require making
anything world-writable.
</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-access"
></A
>5.6.4. Web Server Access Controls</H2
><P
>There are many files that are placed in the Bugzilla directory
area that should not be accessable from the web. Because of the way
Bugzilla is currently layed out, the list of what should and should
not be accessible is rather complicated. A new installation method
is currently in the works which should solve this by allowing files
that shouldn't be accessible from the web to be placed in directory
outside the webroot. See
<A
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=44659"
TARGET="_top"
>bug
44659</A
> for more information.
</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>In the main Bugzilla directory, you should:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block:
<TT
CLASS="filename"
>*.pl</TT
>, <TT
CLASS="filename"
>*localconfig*</TT
>, <TT
CLASS="filename"
>runtests.sh</TT
>
</P
></LI
><LI
><P
>But allow:
<TT
CLASS="filename"
>localconfig.js</TT
>, <TT
CLASS="filename"
>localconfig.rdf</TT
>
</P
></LI
></UL
></LI
><LI
><P
>In <TT
CLASS="filename"
>data</TT
>:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block everything</P
></LI
><LI
><P
>But allow:
<TT
CLASS="filename"
>duplicates.rdf</TT
>
</P
></LI
></UL
></LI
><LI
><P
>In <TT
CLASS="filename"
>data/webdot</TT
>:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>If you use a remote webdot server:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block everything</P
></LI
><LI
><P
>But allow
<TT
CLASS="filename"
>*.dot</TT
>
only for the remote webdot server</P
></LI
></UL
></LI
><LI
><P
>Otherwise, if you use a local GraphViz:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block everything</P
></LI
><LI
><P
>But allow:
<TT
CLASS="filename"
>*.png</TT
>, <TT
CLASS="filename"
>*.gif</TT
>, <TT
CLASS="filename"
>*.jpg</TT
>, <TT
CLASS="filename"
>*.map</TT
>
</P
></LI
></UL
></LI
><LI
><P
>And if you don't use any dot:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block everything</P
></LI
></UL
></LI
></UL
></LI
><LI
><P
>In <TT
CLASS="filename"
>Bugzilla</TT
>:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block everything</P
></LI
></UL
></LI
><LI
><P
>In <TT
CLASS="filename"
>template</TT
>:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Block everything</P
></LI
></UL
></LI
></UL
><DIV
CLASS="tip"
><P
></P
><TABLE
CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/tip.gif"
HSPACE="5"
ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Bugzilla ships with the ability to generate
<TT
CLASS="filename"
>.htaccess</TT
> files instructing
<A
HREF="glossary.html#gloss-apache"
><I
CLASS="glossterm"
>Apache</I
></A
> which files
should and should not be accessible. For more information, see
<A
HREF="http.html#http-apache"
>Section 4.4.1</A
>.
</P
></TD
></TR
></TABLE
></DIV
><P
>You should test to make sure that the files mentioned above are
not accessible from the Internet, especially your
<TT
CLASS="filename"
>localconfig</TT
> file which contains your database
password. To test, simply point your web browser at the file; for
example, to test mozilla.org's installation, we'd try to access
<A
HREF="http://bugzilla.mozilla.org/localconfig"
TARGET="_top"
>http://bugzilla.mozilla.org/localconfig</A
>. You should
get a <SPAN
CLASS="errorcode"
>403</SPAN
> <SPAN
CLASS="errorname"
>Forbidden</SPAN
>
error.
</P
><DIV
CLASS="caution"
><P
></P
><TABLE
CLASS="caution"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/caution.gif"
HSPACE="5"
ALT="Caution"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Not following the instructions in this section, including
testing, may result in sensitive information being globally
accessible.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="tip"
><P
></P
><TABLE
CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/tip.gif"
HSPACE="5"
ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>You should check <A
HREF="http.html"
>Section 4.4</A
> to see if instructions
have been included for your web server. You should also compare those
instructions with this list to make sure everything is properly
accounted for.
</P
></TD
></TR
></TABLE
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="groups.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="cust-templates.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Groups and Group Security</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="administration.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Template Customization</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>