<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Operating System</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REL="HOME" TITLE="The Bugzilla Guide - 3.6.2 Release" HREF="index.html"><LINK REL="UP" TITLE="Bugzilla Security" HREF="security.html"><LINK REL="PREVIOUS" TITLE="Bugzilla Security" HREF="security.html"><LINK REL="NEXT" TITLE="Web server" HREF="security-webserver.html"></HEAD ><BODY CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >The Bugzilla Guide - 3.6.2 Release</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="security.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 4. Bugzilla Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="security-webserver.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="section" ><H1 CLASS="section" ><A NAME="security-os" >4.1. Operating System</A ></H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="security-os-ports" >4.1.1. TCP/IP Ports</A ></H2 ><P >The TCP/IP standard defines more than 65,000 ports for sending and receiving traffic. Of those, Bugzilla needs exactly one to operate (different configurations and options may require up to 3). You should audit your server and make sure that you aren't listening on any ports you don't need to be. It's also highly recommended that the server Bugzilla resides on, along with any other machines you administer, be placed behind some kind of firewall. </P ></DIV ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="security-os-accounts" >4.1.2. System User Accounts</A ></H2 ><P >Many <A HREF="glossary.html#gloss-daemon" ><I CLASS="glossterm" >daemons</I ></A >, such as Apache's <TT CLASS="filename" >httpd</TT > or MySQL's <TT CLASS="filename" >mysqld</TT >, run as either <SPAN CLASS="QUOTE" >"root"</SPAN > or <SPAN CLASS="QUOTE" >"nobody"</SPAN >. This is even worse on Windows machines where the majority of <A HREF="glossary.html#gloss-service" ><I CLASS="glossterm" >services</I ></A > run as <SPAN CLASS="QUOTE" >"SYSTEM"</SPAN >. While running as <SPAN CLASS="QUOTE" >"root"</SPAN > or <SPAN CLASS="QUOTE" >"SYSTEM"</SPAN > introduces obvious security concerns, the problems introduced by running everything as <SPAN CLASS="QUOTE" >"nobody"</SPAN > may not be so obvious. Basically, if you run every daemon as <SPAN CLASS="QUOTE" >"nobody"</SPAN > and one of them gets compromised it can compromise every other daemon running as <SPAN CLASS="QUOTE" >"nobody"</SPAN > on your machine. For this reason, it is recommended that you create a user account for each daemon. </P ><DIV CLASS="note" ><P ></P ><TABLE CLASS="note" WIDTH="100%" BORDER="0" ><TR ><TD WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD ALIGN="LEFT" VALIGN="TOP" ><P >You will need to set the <CODE CLASS="option" >webservergroup</CODE > option in <TT CLASS="filename" >localconfig</TT > to the group your web server runs as. This will allow <TT CLASS="filename" >./checksetup.pl</TT > to set file permissions on Unix systems so that nothing is world-writable. </P ></TD ></TR ></TABLE ></DIV ></DIV ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="security-os-chroot" >4.1.3. The <TT CLASS="filename" >chroot</TT > Jail</A ></H2 ><P > If your system supports it, you may wish to consider running Bugzilla inside of a <TT CLASS="filename" >chroot</TT > jail. This option provides unprecedented security by restricting anything running inside the jail from accessing any information outside of it. If you wish to use this option, please consult the documentation that came with your system. </P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="security.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="security-webserver.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Bugzilla Security</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Web server</TD ></TR ></TABLE ></DIV ></BODY ></HTML >