Re: Securing Bugzilla

To: debian-security@lists.debian.org
Subject: Re: Securing Bugzilla
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 24 Sep 2002 11:04:00 -0400
Message-id: <[🔎] 20020924150400.GG7261@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 1032879319.23152.5.camel@lan-19a>
References: <[🔎] 1032879319.23152.5.camel@lan-19a>

On Tue, Sep 24, 2002 at 10:55:19AM -0400, Todd Charron wrote:

>   I've recently been looking to setup bugzilla as a way to keep track
> of... well... bugs ;)  Anyway, while setting it up I noticed it was
> recommended for security to set create htaccess to 1 so that proper
> .htaccess files can be generated.  However, I also noticed that doing
> this on debian seems to have no effect and htaccess files are not
> generated.  Looking at the checksetup.pl file there's a comment "#  No
> htaccess on debian" and disables it (overriding the user defined
> setting).  
>   So my question is two parts.  
> 1) Why is htaccess disabled on Debian? (in bugzilla at least)  

Probably because bugzilla, in its default (non-Debian) configuration,
expects to be able to write to the directory where it is running, and other
nasty things.  In Debian, this sort of thing requires privileges that are
not granted to the web server and CGIs.

> 2) Is it possible then to securely use bugzilla on Debian?  If so what
> is the easiest way.  

Yes, the same way as any other web content.  Assuming you are using Apache,
see:

http://httpd.apache.org/docs/howto/auth.html

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Securing Bugzilla
  - From: Todd Charron <tcharron@mnsi.net>

References:
- Securing Bugzilla
  - From: Todd Charron <tcharron@mnsi.net>

Prev by Date: Securing Bugzilla
Next by Date: Re: Securing Bugzilla
Previous by thread: Securing Bugzilla
Next by thread: Re: Securing Bugzilla
Index(es):
- Date
- Thread