<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><meta http-equiv="Content-Type" content="text/html; charset=ANSI_X3.4-1968"><title>4.1. Operating System</title><link rel="stylesheet" type="text/css" href="../../style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><meta name="keywords" content="Bugzilla, Guide, installation, FAQ, administration, integration, MySQL, Mozilla, webtools"><link rel="home" href="index.html" title="The Bugzilla Guide - 4.4.12 Release"><link rel="up" href="security.html" title="Chapter 4. Bugzilla Security"><link rel="prev" href="security.html" title="Chapter 4. Bugzilla Security"><link rel="next" href="security-webserver.html" title="4.2. Web server"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4.1. Operating System</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="security.html">Prev</a> </td><th width="60%" align="center">Chapter 4. Bugzilla Security</th><td width="20%" align="right"> <a accesskey="n" href="security-webserver.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-os"></a>4.1. Operating System</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-os-ports"></a>4.1.1. TCP/IP Ports</h3></div></div></div><p>The TCP/IP standard defines more than 65,000 ports for sending and receiving traffic. Of those, Bugzilla needs exactly one to operate (different configurations and options may require up to 3). You should audit your server and make sure that you aren't listening on any ports you don't need to be. It's also highly recommended that the server Bugzilla resides on, along with any other machines you administer, be placed behind some kind of firewall. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-os-accounts"></a>4.1.2. System User Accounts</h3></div></div></div><p>Many <a class="glossterm" href="glossary.html#gloss-daemon"><em class="glossterm">daemons</em></a>, such as Apache's <code class="filename">httpd</code> or MySQL's <code class="filename">mysqld</code>, run as either <span class="quote">“<span class="quote">root</span>”</span> or <span class="quote">“<span class="quote">nobody</span>”</span>. This is even worse on Windows machines where the majority of <a class="glossterm" href="glossary.html#gloss-service"><em class="glossterm">services</em></a> run as <span class="quote">“<span class="quote">SYSTEM</span>”</span>. While running as <span class="quote">“<span class="quote">root</span>”</span> or <span class="quote">“<span class="quote">SYSTEM</span>”</span> introduces obvious security concerns, the problems introduced by running everything as <span class="quote">“<span class="quote">nobody</span>”</span> may not be so obvious. Basically, if you run every daemon as <span class="quote">“<span class="quote">nobody</span>”</span> and one of them gets compromised it can compromise every other daemon running as <span class="quote">“<span class="quote">nobody</span>”</span> on your machine. For this reason, it is recommended that you create a user account for each daemon. </p><div class="note" style="margin-left: 1em; margin-right: 1em"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.gif"></td><th align="left"></th></tr><tr><td align="left" valign="top"><p>You will need to set the <code class="option">webservergroup</code> option in <code class="filename">localconfig</code> to the group your web server runs as. This will allow <code class="filename">./checksetup.pl</code> to set file permissions on Unix systems so that nothing is world-writable. </p></td></tr></table></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-os-chroot"></a>4.1.3. The <code class="filename">chroot</code> Jail</h3></div></div></div><p> If your system supports it, you may wish to consider running Bugzilla inside of a <code class="filename">chroot</code> jail. This option provides unprecedented security by restricting anything running inside the jail from accessing any information outside of it. If you wish to use this option, please consult the documentation that came with your system. </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="security.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="security.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="security-webserver.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Bugzilla Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 4.2. Web server</td></tr></table></div></body></html>