Closed Bug 140355 Opened 23 years ago Closed 23 years ago

Warn the user about not using a web server group

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.15
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: myk, Assigned: bbaetz)

Details

Attachments

(1 file, 2 obsolete files)

v3
4.67 KB, patch
gerv
: review+
justdave
: review+
Details | Diff | Splinter Review
Not using a web server group creates a number of security risks, including making directories and files world-writable. This mode of running Bugzilla is useful for testing but should not be used in the real world. We need to make that clearer to users with big warning signs.
Taking for 2.16
Assignee: justdave → bbaetz
Severity: minor → normal
Target Milestone: --- → Bugzilla 2.16
Attached patch v1 (obsolete) — Splinter Review
This includes a checksetup warning and a docs patch. I give up trying to regenerate the docs from this. I only added one paragraph, and it should be valid. It was taking over 15 minutes and spitting out strange errors: jade:/usr/share/sgml/docbook/dsssl-stylesheets-1.64/html/dbhtml.dsl:28:23:E: 1st argument for primitive "number->string" of wrong type: "#f" not a number and other obscure things.
Keywords: patch, review
Attachment #81261 - Flags: review-
Isn't the localconfig file the best place, or at least one possible place, for a comment of this nature? Please uppercase the B in Bugzilla and P in Perl. Also, looking at that line of exclamation marks is painful. Can we use the more normal asterisks? On a stylistic point, you repeat "This means" twice. Also, change "localconfig" to "the localconfig file". When you say "you really need to change this setting", do they just alter localconfig and rerun checksetup.pl? If so, you should say that, too. In the doc patch, one exclamation mark is surely sufficient. Gerv
Changing the localconfig comment won't change it in existing files, but yeah, we probably should mention it there too. I'll tone down the docs stuff a bit. I wanted to see what it ooked like in the generated output, but I can't see that.
Attached patch v2 (obsolete) — Splinter Review
Attachment #81261 - Attachment is obsolete: true
Comment on attachment 81338 [details] [diff] [review] v2 >+# set this to "". If you do set this to "", then your bugzilla installation Capital B! :-) >+other files (including the localconfig file which stores your databasa database. >+ permissions on files which bugzilla uses. If you do not have a B. >+ webservergroup set in the localconfig file, then bugzilla will have to B. >+ make certain files world readable and/or writable. <emphasis>THIS IS >+ INSECURE!</emphasis>. This means that anyone who can get access to >+ your system can do whatever they want to your bugzilla installation. B. >+ be able to take control of your bugzilla installation. B. Fix those, and r=gerv. Gerv
Attachment #81338 - Flags: review+
Comment on attachment 81338 [details] [diff] [review] v2 how about if we check for Win32 and skip the nasty warnings if they're on Win32? Since they don't apply to them anyway...
Attached patch v3Splinter Review
OK, check for win32 first. Note that this doesn't make it any more secure... What about NTFS systems, which could have this stuff set up?
Attachment #81338 - Attachment is obsolete: true
Personally, I don't think it's worth the effort to set the NTFS ACL's during Bugzilla installation, because: 1) On NT, even world-writability isn't generally that big a risk, as it's quite difficult to get to the "shell" - and on most NT boxes if you do, you'll have quite a lot of permissions anyway. 2) chmod won't do it on NT, so you'd have to use something like Win32::FileSecurity to alter the ACL's -> messy (though doable) 3) Default permissions tend to get right by inheritance if the webroot permissions are even decently configured before the BZ installation. 4) Since impersonation plays such a big role in the NT authentication world, setting the correct permissions is potentially quite a bit more complex operation than doing it on Unix. The proper configuration is probably unique to the server, and the administrator must know how to do it anyway. I think it's better to warn the admin and leave the configuration up to him/her. If one's capable enough of getting MySQL, Perl and Bugzilla running on Win32, the security configuration is a piece of cake. You could consider an addition to the documentation, though, especially if out-of-the-box installability is still in plans for 2.18.
Right - but should we warn in checksetup anyway?
Since setting the webservergroup won't make the system any more secure on Win32 platforms, warning about _not_ setting it doesn't sound sensible. I don't think we should warn Win32 users (in checksetup.pl) at all, as there is no easy way to detect if the permissions are set cleverly - so we either have to warn every time or never warn. A documentation note in the Win32 section should be enough. I propose changing section 3.6.1's installation instruction 6 to be: "Take care that the file permissions for your Bugzilla installation directory are sensible. Remove unnecessary write access."
Hmmh, s/Bugzilla installation directory/Bugzilla directory/ on the previous proposal, that seems to be a more proper term in the context.
Comment on attachment 82308 [details] [diff] [review] v3 r=gerv. Gerv
Attachment #82308 - Flags: review+
Comment on attachment 82308 [details] [diff] [review] v3 r= justdave
Attachment #82308 - Flags: review+
Fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: