[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing Bugzilla

Thanks for the prompt reply.

So putting an htaccess file in the root of the bugzilla dir (to control
access by ip and through login/password) would be sufficient?  I thought
it might be, but wanted to make sure there weren't any other security
issues that I wasn't aware of with running it.

Thanks again,


On Tue, 2002-09-24 at 11:04, Matt Zimmerman wrote:
> On Tue, Sep 24, 2002 at 10:55:19AM -0400, Todd Charron wrote:
> >   I've recently been looking to setup bugzilla as a way to keep track
> > of... well... bugs ;)  Anyway, while setting it up I noticed it was
> > recommended for security to set create htaccess to 1 so that proper
> > .htaccess files can be generated.  However, I also noticed that doing
> > this on debian seems to have no effect and htaccess files are not
> > generated.  Looking at the checksetup.pl file there's a comment "#  No
> > htaccess on debian" and disables it (overriding the user defined
> > setting).  
> >   So my question is two parts.  
> > 1) Why is htaccess disabled on Debian? (in bugzilla at least)  
> Probably because bugzilla, in its default (non-Debian) configuration,
> expects to be able to write to the directory where it is running, and other
> nasty things.  In Debian, this sort of thing requires privileges that are
> not granted to the web server and CGIs.
> > 2) Is it possible then to securely use bugzilla on Debian?  If so what
> > is the easiest way.  
> Yes, the same way as any other web content.  Assuming you are using Apache,
> see:
> http://httpd.apache.org/docs/howto/auth.html
> -- 
>  - mdz
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: