Skip to content

bugzilla
bugzilla
Commit 57aa101c authored by jake%bugzilla.org's avatar jake%bugzilla.org
Browse files
Options

Reinstate the seperate security section as a chapter.

parent 5f90e90f
Show whitespace changes
Inline Side-by-side
Showing with 364 additions and 419 deletions
docs/en/xml/Bugzilla-Guide.xml
View file @ 57aa101c
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" [
<!-- Include macros -->
<!ENTITY about SYSTEM "about.sgml">
<!ENTITY conventions SYSTEM "conventions.sgml">
<!ENTITY doc-index SYSTEM "index.sgml">
<!ENTITY faq SYSTEM "faq.sgml">
<!ENTITY gfdl SYSTEM "gfdl.sgml">
<!ENTITY glossary SYSTEM "glossary.sgml">
<!ENTITY installation SYSTEM "installation.sgml">
<!ENTITY administration SYSTEM "administration.sgml">
<!ENTITY using SYSTEM "using.sgml">
<!ENTITY integration SYSTEM "integration.sgml">
<!ENTITY future SYSTEM "future.sgml">
<!ENTITY index SYSTEM "index.sgml">
<!ENTITY database SYSTEM "database.sgml">
<!ENTITY patches SYSTEM "patches.sgml">
<!ENTITY variants SYSTEM "variants.sgml">
<!ENTITY requiredsoftware SYSTEM "requiredsoftware.sgml">
<!ENTITY revhistory SYSTEM "revhistory.sgml">
<!ENTITY about SYSTEM "about.xml">
<!ENTITY conventions SYSTEM "conventions.xml">
<!ENTITY doc-index SYSTEM "index.xml">
<!ENTITY faq SYSTEM "faq.xml">
<!ENTITY gfdl SYSTEM "gfdl.xml">
<!ENTITY glossary SYSTEM "glossary.xml">
<!ENTITY installation SYSTEM "installation.xml">
<!ENTITY administration SYSTEM "administration.xml">
<!ENTITY security SYSTEM "security.xml">
<!ENTITY using SYSTEM "using.xml">
<!ENTITY integration SYSTEM "integration.xml">
<!ENTITY index SYSTEM "index.xml">
<!ENTITY customization SYSTEM "customization.xml">
<!ENTITY patches SYSTEM "patches.xml">
<!ENTITY introduction SYSTEM "introduction.xml">
<!ENTITY modules SYSTEM "modules.xml">
<!-- Things to change for a stable release:
* bz-ver to current stable
* bz-nexver to next stable
* bz-date to the release date
* bz-devel to "IGNORE"
- COMPILE DOCS AND CHECKIN -
Also, tag and tarball before completing
* bz-ver to devel version
* bz-devel to "INCLUDE"
For a devel release, simple bump bz-ver and bz-date
-->
<!ENTITY bz-ver "2.19.1">
<!ENTITY bz-nextver "2.20">
<!ENTITY bz-date "2004-10-24">
<!ENTITY % bz-devel "INCLUDE">
<!ENTITY current-year "2004">
<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-tip/">
<!ENTITY bz "http://www.bugzilla.org/">
<!ENTITY bz-ver "2.16">
<!ENTITY bz-cvs-ver "2.17">
<!ENTITY bzg-date "April 2nd, 2002">
<!ENTITY bzg-ver "2.16">
<!ENTITY bzg-cvs-ver "2.17.0">
<!ENTITY bzg-auth "The Bugzilla Team">
<!ENTITY bzg-bugs "<ulink url='http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&amp;component=Documentation'>Bugzilla</ulink>">
<!ENTITY bzg-bugs "<ulink url='http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&amp;component=Documentation'>Bugzilla Documentation</ulink>">
<!ENTITY mysql "http://www.mysql.com/">
<!ENTITY perl-ver "5.6.1">
<!ENTITY newest-perl-ver "5.8.3">
<!-- For minimum versions -->
<!ENTITY min-mysql-ver "3.23.41">
<!ENTITY min-perl-ver "5.6.0">
<!ENTITY min-perl-ver-win "5.8.1">
<!ENTITY min-template-ver "2.08">
<!ENTITY min-file-temp-ver "any">
<!ENTITY min-appconfig-ver "1.52">
<!ENTITY min-text-wrap-ver "2001.0131">
<!ENTITY min-file-spec-ver "0.82">
<!ENTITY min-data-dumper-ver "any">
<!ENTITY min-dbd-mysql-ver "2.1010">
<!ENTITY min-dbi-ver "1.36">
<!ENTITY min-date-format-ver "2.21">
<!ENTITY min-cgi-ver "2.93">
<!-- Optional modules -->
<!ENTITY min-gd-ver "1.20">
<!ENTITY min-gd-graph-ver "any">
<!ENTITY min-gd-text-align-ver "any">
<!ENTITY min-chart-base-ver "1.0">
<!ENTITY min-xml-parser-ver "any">
<!ENTITY min-mime-parser-ver "any">
<!ENTITY min-patchreader-ver "0.9.4">
]>
<!-- Coding standards for this document
* Other than the GFDL, please use the "section" tag instead of "sect1", "sect2", etc.
* Use Entities to include files for new chapters in Bugzilla-Guide.sgml.
* Other than the GFDL, please use the "section" tag instead of "sect1",
"sect2", etc.
* Use Entities to include files for new chapters in Bugzilla-Guide.xml.
* Try to use Entities for frequently-used passages of text as well.
* Ensure all documents compile cleanly to HTML after modification.
The warning, "DTDDECL catalog types not supported" is normal.
The warning, "DTDDECL catalog types not supported" is normal.
* Try to index important terms wherever possible.
* Use "glossterm" whenever you introduce a new term.
* Follow coding standards at http://www.linuxdoc.org, and
check out the KDE guidelines (they are nice, too)
http://i18n.kde.org/doc/markup.html
* All tags should be lowercase (needsfix)
* Follow coding standards at http://www.tldp.org, and
check out the KDE guidelines (they are nice, too)
http://i18n.kde.org/doc/markup.html
* All tags should be lowercase.
* Please use sensible spacing. The comments at the very end of each
file define reasonable defaults for PSGML mode in EMACS.
Double-indent tags, use double spacing whenever possible, and
try to avoid clutter and feel free to waste space in the code to make it more readable.
file define reasonable defaults for PSGML mode in EMACS.
* Double-indent tags, use double spacing whenever possible, and
try to avoid clutter and feel free to waste space in the code to make it
more readable.
-->
......@@ -58,35 +96,31 @@ try to avoid clutter and feel free to waste space in the code to make it more re
<!-- Header -->
<bookinfo>
<title>The Bugzilla Guide</title>
<title>The Bugzilla Guide - &bz-ver;
<![%bz-devel;[Development ]]>Release</title>
<authorgroup>
<author>
<firstname>Matthew</firstname>
<othername>P.</othername>
<surname>Barnson</surname>
<affiliation>
<address><email>mbarnson@sisna.com</email></address>
</affiliation>
</author>
<corpauthor>The Bugzilla Team</corpauthor>
</authorgroup>
<pubdate>&bz-date;</pubdate>
<abstract>
<para>
This is the documentation for Bugzilla, the mozilla.org
bug-tracking system.
This is the documentation for Bugzilla, a
bug-tracking system from mozilla.org.
Bugzilla is an enterprise-class piece of software
that powers issue-tracking for hundreds of
organizations around the world, tracking millions of bugs.
that tracks millions of bugs and issues for hundreds of
organizations around the world.
</para>
<para>
This documentation is maintained in DocBook 4.1.2 XML format.
Changes are best submitted as plain text or SGML diffs, attached
to a Bugzilla bug.
The most current version of this document can always be found on the
<ulink url="http://www.bugzilla.org/documentation.html">Bugzilla
Documentation Page</ulink>.
</para>
</abstract>
</abstract>
<keywordset>
<keyword>Bugzilla</keyword>
......@@ -104,34 +138,31 @@ try to avoid clutter and feel free to waste space in the code to make it more re
<!-- About This Guide -->
&about;
<!-- Using Bugzilla -->
&using;
<!-- Installing Bugzilla -->
&installation;
<!-- Administering Bugzilla -->
&administration;
<!-- Integrating Bugzilla with Third-Party Tools -->
&integration;
<!-- Securing Bugzilla -->
&security;
<!-- Major Bugzilla Variants -->
&variants;
<!-- Customizing Bugzilla -->
&customization;
<!-- Using Bugzilla -->
&using;
<!-- Appendix: The Frequently Asked Questions -->
&faq;
<!-- Appendix: Required Bugzilla Software Links -->
&requiredsoftware;
<!-- Appendix: The Database Schema -->
&database;
<!-- Appendix: Custom Patches -->
&patches;
<!-- Appendix: The GNU Free Documentation License -->
<!-- Appendix: Manually Installing Perl Modules -->
&modules;
<!-- Appendix: GNU Free Documentation License -->
&gfdl;
<!-- Glossary -->
......@@ -158,7 +189,7 @@ sgml-local-ecat-files:nil
sgml-minimize-attributes:nil
sgml-namecase-general:t
sgml-omittag:t
sgml-parent-document:("Bugzilla-Guide.sgml" "book" "chapter")
sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
sgml-shorttag:t
sgml-tag-region-if-active:t
End:
......
docs/en/xml/glossary.xml
View file @ 57aa101c
......@@ -3,7 +3,7 @@
<glossdiv>
<title>0-9, high ascii</title>
<glossentry>
<glossentry id="gloss-htaccess">
<glossterm>.htaccess</glossterm>
<glossdef>
......@@ -15,10 +15,7 @@
to keep secret files which would otherwise
compromise your installation - e.g. the
<filename>localconfig</filename>
file contains the password to your database. If this information were
generally available, and remote access to your database turned on,
you risk corruption of your database by computer criminals or the
file contains the password to your database.
curious.</para>
</glossdef>
</glossentry>
......@@ -27,23 +24,66 @@
<glossdiv id="gloss-a">
<title>A</title>
<glossentry>
<glossentry id="gloss-apache">
<glossterm>Apache</glossterm>
<glossdef>
<para>In this context, Apache is the web server most commonly used
for serving up
<glossterm>Bugzilla</glossterm>
for serving up Bugzilla
pages. Contrary to popular belief, the apache web server has nothing
to do with the ancient and noble Native American tribe, but instead
derived its name from the fact that it was
<quote>a patchy</quote>
version of the original
<acronym>NCSA</acronym>
world-wide-web server.</para>
<variablelist>
<title>Useful Directives when configuring Bugzilla</title>
<varlistentry>
<term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#addhandler">AddHandler</ulink></computeroutput></term>
<listitem>
<para>Tell Apache that it's OK to run CGI scripts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#allowoverride">AllowOverride</ulink></computeroutput></term>
<term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#options">Options</ulink></computeroutput></term>
<listitem>
<para>These directives are used to tell Apache many things about
the directory they apply to. For Bugzilla's purposes, we need
them to allow script execution and <filename>.htaccess</filename>
overrides.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/mod_dir.html#directoryindex">DirectoryIndex</ulink></computeroutput></term>
<listitem>
<para>Used to tell Apache what files are indexes. If you can
not add <filename>index.cgi</filename> to the list of valid files,
you'll need to set <computeroutput>$index_html</computeroutput> to
1 in <filename>localconfig</filename> so
<command>./checksetup.pl</command> will create an
<filename>index.html</filename> that redirects to
<filename>index.cgi</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#scriptinterpretersource">ScriptInterpreterSource</ulink></computeroutput></term>
<listitem>
<para>Used when running Apache on windows so the shebang line
doesn't have to be changed in every Bugzilla script.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>For more information about how to configure Apache for Bugzilla,
see <xref linkend="http-apache"/>.
</para>
</glossdef>
</glossentry>
</glossdiv>
......@@ -56,7 +96,7 @@
<glossdef>
<para>A
<quote>Bug</quote>
<quote>bug</quote>
in Bugzilla refers to an issue entered into the database which has an
associated number, assignments, comments, etc. Some also refer to a
......@@ -71,40 +111,36 @@
<glossterm>Bug Number</glossterm>
<glossdef>
<para>Each Bugzilla Bug is assigned a number that uniquely identifies
that Bug. The Bug associated with a Bug Number can be pulled up via a
<para>Each Bugzilla bug is assigned a number that uniquely identifies
that bug. The bug associated with a bug number can be pulled up via a
query, or easily from the very front page by typing the number in the
"Find" box.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Bug Life Cycle</glossterm>
<glossentry id="gloss-bugzilla">
<glossterm>Bugzilla</glossterm>
<glossdef>
<para>A Bug has stages through which it must pass before becoming a
<quote>closed bug</quote>,
including acceptance, resolution, and verification. The
<quote>Bug Life Cycle</quote>
is moderately flexible according to the needs of the organization
using it, though.</para>
<para>Bugzilla is the world-leading free software bug tracking system.
</para>
</glossdef>
</glossentry>
</glossdiv>
<glossentry>
<glossterm>Bugzilla</glossterm>
<glossdiv id="gloss-c">
<title>C</title>
<glossentry id="gloss-cgi">
<glossterm>Common Gateway Interface</glossterm>
<acronym>CGI</acronym>
<glossdef>
<para>Bugzilla is the industry-standard bug tracking system. It is
quite popular among Open Source enthusiasts.</para>
<para><acronym>CGI</acronym> is an acronym for Common Gateway Interface. This is
a standard for interfacing an external application with a web server. Bugzilla
is an example of a <acronym>CGI</acronym> application.
</para>
</glossdef>
</glossentry>
</glossdiv>
<glossdiv id="gloss-c">
<title>
</title>
<glossentry id="gloss-component">
<glossterm>Component</glossterm>
......@@ -118,23 +154,40 @@
</glossentry>
<glossentry id="gloss-cpan">
<glossterm>
<glossterm>Comprehensive Perl Archive Network</glossterm>
<acronym>CPAN</acronym>
</glossterm>
<!-- TODO: Rewrite def for CPAN -->
<glossdef>
<para>
<acronym>CPAN</acronym>
stands for the
<quote>Comprehensive Perl Archive Network</quote>
. CPAN maintains a large number of extremely useful
<quote>Comprehensive Perl Archive Network</quote>.
CPAN maintains a large number of extremely useful
<glossterm>Perl</glossterm>
modules - encapsulated chunks of code for performing a
particular task.</para>
</glossdef>
</glossentry>
<glossentry id="gloss-contrib">
<glossterm><filename class="directory">contrib</filename></glossterm>
modules. By themselves, Perl modules generally do nothing, but when
used as part of a larger program, they provide much-needed algorithms
and functionality.</para>
<glossdef>
<para>The <filename class="directory">contrib</filename> directory is
a location to put scripts that have been contributed to Bugzilla but
are not a part of the official distribution. These scripts are written
by third parties and may be in languages other than perl. For those
that are in perl, there may be additional modules or other requirements
than those of the offical distribution.
<note>
<para>Scripts in the <filename class="directory">contrib</filename>
directory are not offically supported by the Bugzilla team and may
break in between versions.
</para>
</note>
</para>
</glossdef>
</glossentry>
</glossdiv>
......@@ -142,7 +195,7 @@
<glossdiv id="gloss-d">
<title>D</title>
<glossentry>
<glossentry id="gloss-daemon">
<glossterm>daemon</glossterm>
<glossdef>
......@@ -155,13 +208,29 @@
a web server, are generally run as daemons.</para>
</glossdef>
</glossentry>
<glossentry id="gloss-dos">
<glossterm>DOS Attack</glossterm>
<glossdef>
<para>A DOS, or Denial of Service attack, is when a user attempts to
deny access to a web server by repeatadly accessing a page or sending
malformed requests to a webserver. This can be effectively prevented
by using <filename>mod_throttle</filename> as described in
<xref linkend="security-webserver-mod-throttle"/>. A D-DOS, or
Distributed Denial of Service attack, is when these requests come
from multiple sources at the same time. Unfortunately, these are much
more difficult to defend against.
</para>
</glossdef>
</glossentry>
</glossdiv>
<glossdiv id="gloss-g">
<title>
</title>
<title>G</title>
<glossentry>
<glossentry id="gloss-groups">
<glossterm>Groups</glossterm>
<glossdef>
......@@ -169,29 +238,24 @@
<quote>Groups</quote>
has a very special meaning to Bugzilla. Bugzilla's main security
mechanism comes by lumping users into groups, and assigning those
groups certain privileges to
mechanism comes by placing users in groups, and assigning those
groups certain privileges to view bugs in particular
<glossterm>Products</glossterm>
and
<glossterm>Components</glossterm>
in the
<glossterm>Bugzilla</glossterm>
database.</para>
</glossdef>
</glossentry>
</glossdiv>
<glossdiv id="gloss-i">
<title>I</title>
<glossentry id="gloss-infiniteloop">
<glossterm>Infinite Loop</glossterm>
<glossdiv id="gloss-j">
<title>J</title>
<glossentry id="gloss-javascript">
<glossterm>JavaScript</glossterm>
<glossdef>
<para>A loop of information that never ends; see recursion.</para>
<para>JavaScript is cool, we should talk about it.
</para>
</glossdef>
</glossentry>
</glossdiv>
......@@ -199,17 +263,56 @@
<glossdiv id="gloss-m">
<title>M</title>
<glossentry>
<glossterm>mysqld</glossterm>
<glossentry id="gloss-mta">
<glossterm>Message Transport Agent</glossterm>
<acronym>MTA</acronym>
<glossdef>
<para>mysqld is the name of the
<glossterm>daemon</glossterm>
<para>A Message Transport Agent is used to control the flow of email
on a system. Many unix based systems use
<ulink url="http://www.sendmail.org">sendmail</ulink> which is what
Bugzilla expects to find by default at <filename>/usr/sbin/sendmail</filename>.
Many other MTA's will work, but they all require that the
<option>sendmailnow</option> param be set to <literal>on</literal>.
</para>
</glossdef>
</glossentry>
<glossentry id="gloss-mysql">
<glossterm>MySQL</glossterm>
for the MySQL database. In general, it is invoked automatically
through the use of the System V init scripts on GNU/Linux and
AT&amp;T System V-based systems, such as Solaris and HP/UX, or
through the RC scripts on BSD-based systems.</para>
<glossdef>
<para>MySQL is currently the required
<glossterm linkend="gloss-rdbms">RDBMS</glossterm> for Bugzilla. MySQL
can be downloaded from <ulink url="http://www.mysql.com"/>. While you
should familiarize yourself with all of the documentation, some high
points are:
</para>
<variablelist>
<varlistentry>
<term><ulink url="http://www.mysql.com/doc/en/Backup.html">Backup</ulink></term>
<listitem>
<para>Methods for backing up your Bugzilla database.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><ulink url="http://www.mysql.com/doc/en/Option_files.html">Option Files</ulink></term>
<listitem>
<para>Information about how to configure MySQL using
<filename>my.cnf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><ulink url="http://www.mysql.com/doc/en/Privilege_system.html">Privilege System</ulink></term>
<listitem>
<para>Much more detailed information about the suggestions in
<xref linkend="security-mysql"/>.
</para>
</listitem>
</varlistentry>
</variablelist>
</glossdef>
</glossentry>
</glossdiv>
......@@ -217,14 +320,25 @@
<glossdiv id="gloss-p">
<title>P</title>
<glossentry id="gloss-ppm">
<glossterm>Perl Package Manager</glossterm>
<acronym>PPM</acronym>
<glossdef>
<para><ulink url="http://aspn.activestate.com/ASPN/Downloads/ActivePerl/PPM/"/>
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm id="gloss-product">Product</glossterm>
<glossdef>
<para>A Product is a broad category of types of bugs. In general,
there are several Components to a Product. A Product may also define a
<para>A Product is a broad category of types of bugs, normally
representing a single piece of software or entity. In general,
there are several Components to a Product. A Product may define a
group (used for security) for all bugs entered into
components beneath it.</para>
its Components.</para>
</glossdef>
</glossentry>
......@@ -262,7 +376,7 @@
bugs over their life cycle, thus the need for the
<quote>QA Contact</quote>
field in a Bug.</para>
field in a bug.</para>
</glossdef>
</glossentry>
</glossdiv>
......@@ -270,16 +384,25 @@
<glossdiv id="gloss-r">
<title>R</title>
<glossentry id="gloss-recursion" xreflabel="Recursion">
<glossterm>Recursion</glossterm>
<glossentry id="gloss-rdbms">
<glossterm>Relational DataBase Managment System</glossterm>
<acronym>RDBMS</acronym>
<glossdef>
<para>The property of a function looking back at itself for
something.
<quote>GNU</quote>, for instance, stands for
<quote>GNU's Not UNIX</quote>,
thus recursing upon itself for definition. For further clarity, see
Infinite Loop.</para>
<para>A relational database management system is a database system
that stores information in tables that are related to each other.
</para>
</glossdef>
</glossentry>
<glossentry id="gloss-regexp">
<glossterm>Regular Expression</glossterm>
<acronym>regexp</acronym>
<glossdef>
<para>A regular expression is an expression used for pattern matching.
<ulink url="http://perldoc.com/perl5.6/pod/perlre.html#Regular-Expressions">Documentation</ulink>
</para>
</glossdef>
</glossentry>
</glossdiv>
......@@ -287,6 +410,19 @@
<glossdiv id="gloss-s">
<title>S</title>
<glossentry id="gloss-service">
<glossterm>Service</glossterm>
<glossdef>
<para>In Windows NT environment, a boot-time background application
is refered to as a service. These are generally managed through the
control pannel while logged in as an account with
<quote>Administrator</quote> level capabilities. For more
information, consult your Windows manual or the MSKB.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>
<acronym>SGML</acronym>
......@@ -344,18 +480,51 @@
fixed, or an enhancement will be implemented.</para>
</glossdef>
</glossentry>
<glossentry id="gloss-tcl">
<glossterm>Tool Command Language</glossterm>
<acronym>TCL</acronym>
<glossdef>
<para>TCL is an open source scripting language available for Windows,
Macintosh, and Unix based systems. Bugzilla 1.0 was written in TCL but
never released. The first release of Bugzilla was 2.0, which was when
it was ported to perl.
</para>
</glossdef>
</glossentry>
</glossdiv>
<glossdiv id="gloss-z">
<title>Z</title>
<glossentry id="zarro-boogs-found" xreflabel="Zarro Boogs Found">
<glossentry id="gloss-zarro">
<glossterm>Zarro Boogs Found</glossterm>
<glossdef>
<para>This is the cryptic response sent by Bugzilla when a query
returned no results. It is just a goofy way of saying "Zero Bugs
Found".</para>
<para>This is just a goofy way of saying that there were no bugs
found matching your query. When asked to explain this message,
Terry had the following to say:
</para>
<blockquote>
<attribution>Terry Weissman</attribution>
<para>I've been asked to explain this ... way back when, when
Netscape released version 4.0 of its browser, we had a release
party. Naturally, there had been a big push to try and fix every
known bug before the release. Naturally, that hadn't actually
happened. (This is not unique to Netscape or to 4.0; the same thing
has happened with every software project I've ever seen.) Anyway,
at the release party, T-shirts were handed out that said something
like "Netscape 4.0: Zarro Boogs". Just like the software, the
T-shirt had no known bugs. Uh-huh.
</para>
<para>So, when you query for a list of bugs, and it gets no results,
you can think of this as a friendly reminder. Of *course* there are
bugs matching your query, they just aren't in the bugsystem yet...
</para>
</blockquote>
</glossdef>
</glossentry>
</glossdiv>
......@@ -376,9 +545,8 @@ sgml-local-ecat-files:nil
sgml-minimize-attributes:nil
sgml-namecase-general:t
sgml-omittag:t
sgml-parent-document:("Bugzilla-Guide.sgml" "book" "chapter")
sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
sgml-shorttag:t
sgml-tag-region-if-active:t
End:
-->
docs/en/xml/installation.xml
View file @ 57aa101c
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
<!-- $Id: installation.xml,v 1.81 2008/04/04 06:47:11 jocuri%softhome.net Exp $ -->
<!-- $Id: installation.xml,v 1.82 2008/04/04 06:47:12 jake%bugzilla.org Exp $ -->
<chapter id="installing-bugzilla">
<title>Installing Bugzilla</title>
......@@ -520,7 +520,8 @@
<para>Poorly-configured MySQL and Bugzilla installations have
given attackers full access to systems in the past. Please take the
security parts of these guidelines seriously, even for Bugzilla
machines hidden away behind your firewall.</para>
machines hidden away behind your firewall. Be certain to read
<xref linkend="security"/> for some important security tips.</para>
</warning>
<section id="localconfig">
......@@ -560,69 +561,12 @@
<section id="mysql">
<title>MySQL</title>
<section id="security-mysql">
<title>Security</title>
<para>MySQL ships as insecure by default.
It allows anybody to on the local machine full administrative
capabilities without requiring a password; the special
MySQL root account (note: this is <emphasis>not</emphasis> the same as
the system root) also has no password.
Also, many installations default to running
<application>mysqld</application> as the system root.
</para>
<orderedlist>
<listitem>
<para>To disable the anonymous user account
and set a password for the root user, execute the following. The
root user password should be different to the bugs user password
you set in
<filename>localconfig</filename> in the previous section,
and also different to
the password for the system root account on your machine.
</para>
<screen> <prompt>bash$</prompt> mysql mysql
<prompt>mysql&gt;</prompt> DELETE FROM user WHERE user = '';
<prompt>mysql&gt;</prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;</screen>
<para>From this point forward, to run the
<filename>mysql</filename> command-line client,
you will need to type
<command>mysql -u root -p</command> and enter
<replaceable>new_password</replaceable> when prompted.
</para>
</listitem>
<listitem>
<para>If you run MySQL on the same machine as your web server, you
should disable remote access to MySQL by adding
the following to your <filename>/etc/my.cnf</filename>:
</para>
<programlisting> [myslqd]
# Prevent network access to MySQL.
skip-networking</programlisting>
</listitem>
<listitem>
<para>Consult the documentation that came with your system for
information on making <application>mysqld</application> run as an
unprivileged user.
</para>
</listitem>
<listitem>
<para>For added security, you could also run MySQL, or even all
of Bugzilla
in a chroot jail; however, instructions for doing that are beyond
the scope of this document.
<caution>
<para>MySQL's default configuration is very insecure.
<xref linkend="security-mysql"/> has some good information for
improving your installation's security.
</para>
</listitem>
</orderedlist>
</section>
</caution>
<section id="install-setupdatabase">
<title>Allow large attachments</title>
......@@ -765,7 +709,10 @@
<section id="http">
<title>Web server</title>
<para>Configure your web server according to the instructions in the
appropriate section. The Bugzilla Team recommends Apache.
appropriate section. The Bugzilla Team recommends Apache. No matter
what webserver you choose, make sure that sensitive information is
not remotely available by ensuring that the access controls in
<xref linkend="security-webserver-access"/> are properly applied.
</para>
<section id="http-apache">
......@@ -825,7 +772,7 @@
<para>Also, and this can't be stressed enough, make sure that files such as
<filename>localconfig</filename> and your <filename class="directory">data</filename>
directory are secured as described in <xref linkend="security-access"/>.
directory are secured as described in <xref linkend="security-webserver-access"/>.
</para>
</section>
......@@ -893,137 +840,6 @@
</note>
</section>
<section id="security-access">
<title>Web Server Access Controls</title>
<para>Users of Apache can skip this section because
Bugzilla ships with <filename>.htaccess</filename> files which
restrict access in the manner required.
Users of other webservers, read on.
</para>
<para>There are several files in the Bugzilla directory
that should not be accessible from the web. You need to configure
your webserver so they they aren't. Not doing this may reveal
sensitive information such as database passwords.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>In the main Bugzilla directory, you should:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block:
<simplelist type="inline">
<member><filename>*.pl</filename></member>
<member><filename>*localconfig*</filename></member>
<member><filename>runtests.sh</filename></member>
</simplelist>
</para>
</listitem>
<listitem>
<para>But allow:
<simplelist type="inline">
<member><filename>localconfig.js</filename></member>
<member><filename>localconfig.rdf</filename></member>
</simplelist>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>In <filename class="directory">data</filename>:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block everything</para>
</listitem>
<listitem>
<para>But allow:
<simplelist type="inline">
<member><filename>duplicates.rdf</filename></member>
</simplelist>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>In <filename class="directory">data/webdot</filename>:</para>
<itemizedlist spacing="compact">
<listitem>
<para>If you use a remote webdot server:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block everything</para>
</listitem>
<listitem>
<para>But allow
<simplelist type="inline">
<member><filename>*.dot</filename></member>
</simplelist>
only for the remote webdot server</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Otherwise, if you use a local GraphViz:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block everything</para>
</listitem>
<listitem>
<para>But allow:
<simplelist type="inline">
<member><filename>*.png</filename></member>
<member><filename>*.gif</filename></member>
<member><filename>*.jpg</filename></member>
<member><filename>*.map</filename></member>
</simplelist>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>And if you don't use any dot:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block everything</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>In <filename class="directory">Bugzilla</filename>:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block everything</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>In <filename class="directory">template</filename>:</para>
<itemizedlist spacing="compact">
<listitem>
<para>Block everything</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<para>You should test to make sure that the files mentioned above are
not accessible from the Internet, especially your
<filename>localconfig</filename> file which contains your database
password. To test, simply point your web browser at the file; for
example, to test mozilla.org's installation, we'd try to access
<ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should
get a <errorcode>403</errorcode> <errorname>Forbidden</errorname>
error.
</para>
</section>
</section>
......@@ -1310,75 +1126,6 @@
</section>
<section id="content-type">
<title>Prevent users injecting malicious
Javascript</title>
<para>It is possible for a Bugzilla user to take advantage of character
set encoding ambiguities to inject HTML into Bugzilla comments. This
could include malicious scripts.
Due to internationalization concerns, we are unable to
incorporate by default the code changes suggested by
<ulink
url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">
the CERT advisory</ulink> on this issue.
If your installation is for an English speaking audience only, making the
change below will prevent this problem.
</para>
<para>Simply locate the following line in
<filename>Bugzilla/CGI.pm</filename>:
<programlisting>$self->charset('');</programlisting>
and change it to:
<programlisting>$self->charset('ISO-8859-1');</programlisting>
</para>
</section>
<section id="mod-throttle"
xreflabel="Using mod_throttle to prevent Denial of Service attacks">
<title>
<filename>mod_throttle</filename></title>
<para>It is possible for a user, by mistake or on purpose, to access
the database many times in a row which can result in very slow access
speeds for other users. If your Bugzilla installation is experiencing
this problem, you may install the Apache module
<filename>mod_throttle</filename>
which can limit connections by IP address. You may download this module
at
<ulink url="http://www.snert.com/Software/mod_throttle/"/>.
Follow the instructions to install into your Apache install.
<emphasis>This module only functions with the Apache web
server!</emphasis>
The command you need is
<command>ThrottleClientIP</command>. See the
<ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink>
for more information.</para>
</section>
<section id="security-networking">
<title>TCP/IP Ports</title>
<para>A single-box Bugzilla only requires port 80, plus port 25 if
you are using the optional email interface. You should firewall all
other ports and/or disable services listening on them.
</para>
</section>
<section id="security-daemon">
<title>Daemon Accounts</title>
<para>Many daemons, such as Apache's httpd and MySQL's mysqld default to
running as either <quote>root</quote> or <quote>nobody</quote>. Running
as <quote>root</quote> introduces obvious security problems, but the
problems introduced by running everything as <quote>nobody</quote> may
not be so obvious. Basically, if you're running every daemon as
<quote>nobody</quote> and one of them gets compromised, they all get
compromised. For this reason it is recommended that you create a user
account for each daemon.
</para>
</section>
<section id="apache-addtype">
<title>Serving Alternate Formats with the right MIME type</title>
......@@ -1532,7 +1279,7 @@ $smtp->quit;
<para>As is the case on Unix based systems, any web server should be
able to handle Bugzilla; however, the Bugzilla Team still recommends
Apache whenever asked. No matter what web server you choose, be sure
to pay attention to the security notes in <xref linkend="security-access"/>.
to pay attention to the security notes in <xref linkend="security-webserver-access"/>.
More information on configuring specific web servers can be found in
<xref linkend="http"/>.
</para>
......@@ -2205,4 +1952,3 @@ sgml-shorttag:t
sgml-tag-region-if-active:t
End:
-->
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment