<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ANSI_X3.4-1968"><title>4.1.&#160;Operating System</title><link rel="stylesheet" type="text/css" href="../../style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><meta name="keywords" content="Bugzilla, Guide, installation, FAQ, administration, integration, MySQL, Mozilla, webtools"><link rel="home" href="index.html" title="The Bugzilla Guide - 4.4.11 Release"><link rel="up" href="security.html" title="Chapter&#160;4.&#160;Bugzilla Security"><link rel="prev" href="security.html" title="Chapter&#160;4.&#160;Bugzilla Security"><link rel="next" href="security-webserver.html" title="4.2.&#160;Web server"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4.1.&#160;Operating System</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="security.html">Prev</a>&#160;</td><th width="60%" align="center">Chapter&#160;4.&#160;Bugzilla Security</th><td width="20%" align="right">&#160;<a accesskey="n" href="security-webserver.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-os"></a>4.1.&#160;Operating System</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-os-ports"></a>4.1.1.&#160;TCP/IP Ports</h3></div></div></div><p>The TCP/IP standard defines more than 65,000 ports for sending
      and receiving traffic. Of those, Bugzilla needs exactly one to operate
      (different configurations and options may require up to 3). You should
      audit your server and make sure that you aren't listening on any ports
      you don't need to be. It's also highly recommended that the server
      Bugzilla resides on, along with any other machines you administer, be
      placed behind some kind of firewall.
      </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-os-accounts"></a>4.1.2.&#160;System User Accounts</h3></div></div></div><p>Many <a class="glossterm" href="glossary.html#gloss-daemon"><em class="glossterm">daemons</em></a>, such
      as Apache's <code class="filename">httpd</code> or MySQL's
      <code class="filename">mysqld</code>, run as either <span class="quote">&#8220;<span class="quote">root</span>&#8221;</span> or
      <span class="quote">&#8220;<span class="quote">nobody</span>&#8221;</span>. This is even worse on Windows machines where the
      majority of <a class="glossterm" href="glossary.html#gloss-service"><em class="glossterm">services</em></a>
      run as <span class="quote">&#8220;<span class="quote">SYSTEM</span>&#8221;</span>. While running as <span class="quote">&#8220;<span class="quote">root</span>&#8221;</span> or
      <span class="quote">&#8220;<span class="quote">SYSTEM</span>&#8221;</span> introduces obvious security concerns, the
      problems introduced by running everything as <span class="quote">&#8220;<span class="quote">nobody</span>&#8221;</span> may
      not be so obvious. Basically, if you run every daemon as
      <span class="quote">&#8220;<span class="quote">nobody</span>&#8221;</span> and one of them gets compromised it can
      compromise every other daemon running as <span class="quote">&#8220;<span class="quote">nobody</span>&#8221;</span> on your
      machine. For this reason, it is recommended that you create a user
      account for each daemon.
      </p><div class="note" style="margin-left: 1em; margin-right: 1em"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="../images/note.gif"></td><th align="left"></th></tr><tr><td align="left" valign="top"><p>You will need to set the <code class="option">webservergroup</code> option
        in <code class="filename">localconfig</code> to the group your web server runs
        as. This will allow <code class="filename">./checksetup.pl</code> to set file
        permissions on Unix systems so that nothing is world-writable.
        </p></td></tr></table></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-os-chroot"></a>4.1.3.&#160;The <code class="filename">chroot</code> Jail</h3></div></div></div><p>
        If your system supports it, you may wish to consider running
        Bugzilla inside of a <code class="filename">chroot</code> jail. This option
        provides unprecedented security by restricting anything running
        inside the jail from accessing any information outside of it. If you
        wish to use this option, please consult the documentation that came
        with your system.
      </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="security.html">Prev</a>&#160;</td><td width="20%" align="center"><a accesskey="u" href="security.html">Up</a></td><td width="40%" align="right">&#160;<a accesskey="n" href="security-webserver.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter&#160;4.&#160;Bugzilla Security&#160;</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">&#160;4.2.&#160;Web server</td></tr></table></div></body></html>