Re: Securing Bugzilla
Thanks for the prompt reply.
So putting an htaccess file in the root of the bugzilla dir (to control
access by ip and through login/password) would be sufficient? I thought
it might be, but wanted to make sure there weren't any other security
issues that I wasn't aware of with running it.
Thanks again,
Todd
On Tue, 2002-09-24 at 11:04, Matt Zimmerman wrote:
> On Tue, Sep 24, 2002 at 10:55:19AM -0400, Todd Charron wrote:
>
> > I've recently been looking to setup bugzilla as a way to keep track
> > of... well... bugs ;) Anyway, while setting it up I noticed it was
> > recommended for security to set create htaccess to 1 so that proper
> > .htaccess files can be generated. However, I also noticed that doing
> > this on debian seems to have no effect and htaccess files are not
> > generated. Looking at the checksetup.pl file there's a comment "# No
> > htaccess on debian" and disables it (overriding the user defined
> > setting).
> > So my question is two parts.
> > 1) Why is htaccess disabled on Debian? (in bugzilla at least)
>
> Probably because bugzilla, in its default (non-Debian) configuration,
> expects to be able to write to the directory where it is running, and other
> nasty things. In Debian, this sort of thing requires privileges that are
> not granted to the web server and CGIs.
>
> > 2) Is it possible then to securely use bugzilla on Debian? If so what
> > is the easiest way.
>
> Yes, the same way as any other web content. Assuming you are using Apache,
> see:
>
> http://httpd.apache.org/docs/howto/auth.html
>
> --
> - mdz
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: