Closed
Bug 76156
Opened 24 years ago
Closed 24 years ago
Securing Bugzilla section omits shadow directory.
Categories
(Bugzilla :: Bugzilla-General, defect)
Bugzilla
Bugzilla-General
Tracking
()
RESOLVED
FIXED
Bugzilla 2.12
People
(Reporter: CodeMachine, Assigned: barnboy)
Details
While the Securing Bugzilla section does talk about securing the shadow
directory, it is missing in this sentence:
Ensure you have adequate access controls for $BUGZILLA_HOME/data/ and
$BUGZILLA_HOME/localconfig. The localconfig file stores your "bugs" user
password, which would be terrible to have in the hands of a criminal. Also some
files under $BUGZILLA_HOME/data store sensitive information.
|
Reporter | |
Updated•24 years ago
|
Target Milestone: --- → Bugzilla 2.12
|
||
Comment 1•24 years ago
|
||
Hmmm... that's in the README (not those exact words, but the idea). Perhaps
that'll just have to be one of the things that gets merged as part of bug 76841.
|
|
Reporter | |
Comment 2•24 years ago
|
||
Tara is deprecating the README for 2.12 ... the Bugzilla Guide should be
correct.
|
||
Comment 3•24 years ago
|
||
Currently in the README:
There are two critical directories and a file that should not be a served by
the HTTP server. These are the 'data' and 'shadow' directories and the
'localconfig' file. You should configure your HTTP server to not serve
content from these files. Failure to do so will expose critical passwords
and other data. Please see your HTTP server configuration manual on how
to do this.
|
|
||
Comment 4•24 years ago
|
||
Changed that paragraph in README to:
> There are two critical directories and a file that should not be a served by
> the HTTP server. These are the 'data' and 'shadow' directories and the
> 'localconfig' file. You should configure your HTTP server to not serve
> content from these files. Failure to do so will expose critical passwords
> and other data. Please see your HTTP server configuration manual on how
> to do this. If you use quips (at the top of the buglist pages) you will want
> the 'data/comments' file to still be served. This file contains those quips.
|
|
Reporter | |
Comment 5•24 years ago
|
||
Barnboy, this is a pretty small but important change. Is there any chance of
getting 5 minutes of your time on this one before 2.12?
Severity: minor → major
|
Assignee | |
Comment 6•24 years ago
|
||
No problem.
I'll try to have this and the other 2.12 bugs finished by Tuesday afternoon
this week.
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 7•24 years ago
|
||
This is the final 2.12 issue. Please let us know if you can't do this soon for
whatever reason.
|
|
Assignee | |
Comment 8•24 years ago
|
||
For those of you waiting with baited breath, I'm getting this and the last few
bugs in the Guide finished now. Today is Tuesday, and it's the afternoon. I'll
have it in shortly!
|
|
Assignee | |
Comment 9•24 years ago
|
||
Fixed and checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•24 years ago
|
||
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
||
Updated•13 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•