754 lines
12 KiB
HTML
754 lines
12 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bugzilla Security</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="The Bugzilla Guide - 2.16.3 Release"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Administering Bugzilla"
|
|
HREF="administration.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Groups and Group Security"
|
|
HREF="groups.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Template Customisation"
|
|
HREF="cust-templates.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Bugzilla Guide - 2.16.3 Release</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="groups.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 5. Administering Bugzilla</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="cust-templates.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="security"
|
|
></A
|
|
>5.6. Bugzilla Security</H1
|
|
><DIV
|
|
CLASS="warning"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="warning"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/warning.gif"
|
|
HSPACE="5"
|
|
ALT="Warning"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Poorly-configured MySQL and Bugzilla installations have
|
|
given attackers full access to systems in the past. Please take these
|
|
guidelines seriously, even for Bugzilla machines hidden away behind
|
|
your firewall. 80% of all computer trespassers are insiders, not
|
|
anonymous crackers.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>These instructions must, of necessity, be somewhat vague since
|
|
Bugzilla runs on so many different platforms. If you have refinements
|
|
of these directions, please submit a bug to <A
|
|
HREF="http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&component=Documentation"
|
|
TARGET="_top"
|
|
>Bugzilla</A
|
|
>.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="warning"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="warning"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/warning.gif"
|
|
HSPACE="5"
|
|
ALT="Warning"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>This is not meant to be a comprehensive list of every possible
|
|
security issue regarding the tools mentioned in this section. There is
|
|
no subsitute for reading the information written by the authors of any
|
|
software running on your system.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-networking"
|
|
></A
|
|
>5.6.1. TCP/IP Ports</H2
|
|
><P
|
|
>TCP/IP defines 65,000 some ports for trafic. Of those, Bugzilla
|
|
only needs 1... 2 if you need to use features that require e-mail such
|
|
as bug moving or the e-mail interface from contrib. You should audit
|
|
your server and make sure that you aren't listening on any ports you
|
|
don't need to be. You may also wish to use some kind of firewall
|
|
software to be sure that trafic can only be recieved on ports you
|
|
specify.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-mysql"
|
|
></A
|
|
>5.6.2. MySQL</H2
|
|
><P
|
|
>MySQL ships by default with many settings that should be changed.
|
|
By defaults it allows anybody to connect from localhost without a
|
|
password and have full administrative capabilities. It also defaults to
|
|
not have a root password (this is <EM
|
|
>not</EM
|
|
> the same as
|
|
the system root). Also, many installations default to running
|
|
<SPAN
|
|
CLASS="application"
|
|
>mysqld</SPAN
|
|
> as the system root.
|
|
</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>Make sure you are running at least version 3.22.32 of MySQL
|
|
as earlier versions had notable security holes.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Consult the documentation that came with your system for
|
|
information on making <SPAN
|
|
CLASS="application"
|
|
>mysqld</SPAN
|
|
> run as an
|
|
unprivleged user.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>You should also be sure to disable the anonymous user account
|
|
and set a password for the root user. This is accomplished using the
|
|
following commands:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>bash$</TT
|
|
> mysql mysql
|
|
<TT
|
|
CLASS="prompt"
|
|
>mysql></TT
|
|
> DELETE FROM user WHERE user = '';
|
|
<TT
|
|
CLASS="prompt"
|
|
>mysql></TT
|
|
> UPDATE user SET password = password('<TT
|
|
CLASS="replaceable"
|
|
><I
|
|
>new_password</I
|
|
></TT
|
|
>') WHERE user = 'root';
|
|
<TT
|
|
CLASS="prompt"
|
|
>mysql></TT
|
|
> FLUSH PRIVILEGES;
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>From this point forward you will need to use
|
|
<B
|
|
CLASS="command"
|
|
>mysql -u root -p</B
|
|
> and enter
|
|
<TT
|
|
CLASS="replaceable"
|
|
><I
|
|
>new_password</I
|
|
></TT
|
|
> when prompted when using the
|
|
mysql client.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>If you run MySQL on the same machine as your httpd server, you
|
|
should consider disabling networking from within MySQL by adding
|
|
the following to your <TT
|
|
CLASS="filename"
|
|
>/etc/my.conf</TT
|
|
>:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> [myslqd]
|
|
# Prevent network access to MySQL.
|
|
skip-networking
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>You may also consider running MySQL, or even all of Bugzilla
|
|
in a chroot jail; however, instructions for doing that are beyond
|
|
the scope of this document.
|
|
</P
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-daemon"
|
|
></A
|
|
>5.6.3. Daemon Accounts</H2
|
|
><P
|
|
>Many daemons, such as Apache's httpd and MySQL's mysqld default to
|
|
running as either <SPAN
|
|
CLASS="QUOTE"
|
|
>"root"</SPAN
|
|
> or <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
>. Running
|
|
as <SPAN
|
|
CLASS="QUOTE"
|
|
>"root"</SPAN
|
|
> introduces obvious security problems, but the
|
|
problems introduced by running everything as <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
> may
|
|
not be so obvious. Basically, if you're running every daemon as
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
> and one of them gets comprimised, they all get
|
|
comprimised. For this reason it is recommended that you create a user
|
|
account for each daemon.
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>You will need to set the <TT
|
|
CLASS="varname"
|
|
>webservergroup</TT
|
|
> to
|
|
the group you created for your webserver to run as in
|
|
<TT
|
|
CLASS="filename"
|
|
>localconfig</TT
|
|
>. This will allow
|
|
<B
|
|
CLASS="command"
|
|
>./checksetup.pl</B
|
|
> to better adjust the file
|
|
permissions on your Bugzilla install so as to not require making
|
|
anything world-writable.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-access"
|
|
></A
|
|
>5.6.4. Web Server Access Controls</H2
|
|
><P
|
|
>There are many files that are placed in the Bugzilla directory
|
|
area that should not be accessable from the web. Because of the way
|
|
Bugzilla is currently layed out, the list of what should and should
|
|
not be accessible is rather complicated. A new installation method
|
|
is currently in the works which should solve this by allowing files
|
|
that shouldn't be accessible from the web to be placed in directory
|
|
outside the webroot. See
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=44659"
|
|
TARGET="_top"
|
|
>bug
|
|
44659</A
|
|
> for more information.
|
|
</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>In the main Bugzilla directory, you should:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block:
|
|
<TT
|
|
CLASS="filename"
|
|
>*.pl</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*localconfig*</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>runtests.sh</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>processmail</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>syncshadowdb</TT
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>But allow:
|
|
<TT
|
|
CLASS="filename"
|
|
>localconfig.js</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>localconfig.rdf</TT
|
|
>
|
|
</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>data</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>But allow:
|
|
<TT
|
|
CLASS="filename"
|
|
>duplicates.rdf</TT
|
|
>
|
|
</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>data/webdot</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>If you use a remote webdot server:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>But allow
|
|
<TT
|
|
CLASS="filename"
|
|
>*.dot</TT
|
|
>
|
|
only for the remote webdot server</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Otherwise, if you use a local GraphViz:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>But allow:
|
|
<TT
|
|
CLASS="filename"
|
|
>*.png</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*.gif</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*.jpg</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*.map</TT
|
|
>
|
|
</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>And if you don't use any dot:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>Bugzilla</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>template</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
></UL
|
|
><DIV
|
|
CLASS="tip"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="tip"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/tip.gif"
|
|
HSPACE="5"
|
|
ALT="Tip"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Bugzilla ships with the ability to generate
|
|
<TT
|
|
CLASS="filename"
|
|
>.htaccess</TT
|
|
> files instructing Apache which files
|
|
should and should not be accessible.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>You should test to make sure that the files mentioned above are
|
|
not accessible from the Internet, especially your
|
|
<TT
|
|
CLASS="filename"
|
|
>localconfig</TT
|
|
> file which contains your database
|
|
password. To test, simply point your web browser at the file; for
|
|
example, to test mozilla.org's installation, we'd try to access
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/localconfig"
|
|
TARGET="_top"
|
|
>http://bugzilla.mozilla.org/localconfig</A
|
|
>. You should
|
|
get a <SPAN
|
|
CLASS="errorcode"
|
|
>403</SPAN
|
|
> <SPAN
|
|
CLASS="errorname"
|
|
>Forbidden</SPAN
|
|
>
|
|
error.
|
|
</P
|
|
><DIV
|
|
CLASS="caution"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="caution"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/caution.gif"
|
|
HSPACE="5"
|
|
ALT="Caution"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Not following the instructions in this section, including
|
|
testing, may result in sensitive information being globally
|
|
accessible.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="groups.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="cust-templates.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Groups and Group Security</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="administration.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Template Customisation</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |