File: Security

package info (click to toggle)
request-tracker3.6 3.6.1-4%2Betch1
  • links: PTS
  • area: main
  • in suites: etch
  • size: 9,028 kB
  • ctags: 1,371
  • sloc: perl: 27,270; sh: 671; makefile: 327
file content (25 lines) | stat: -rwxr-xr-x 1,122 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
RT2 runs setgid to some group (it defaults to 'rt').

rt's configuration file, 'config.pm', is not world readable because it 
contains rt's database password. If  a user gets access to this file, he
can arbitrarily manipulate the RT database. This is bad. You don't want
this to happen.  config.pm is mode 550. No users should be members of 
the 'rt' group unless you want them to be able to obtain your rt password.

If you're running the web interface, you'll need to make sure your webserver
has access to config.pm.  You could do this by letting your webserver's user
be a member of the 'rt' group. This has the disadvantage of letting 
any mod_perl code on your web server have access to your RT password.

Alternatively, you can run RT2 on its own apache instance bound to a high
port on 127.0.0.1
which runs as a non-priviledged user which is a member of the group 'rt'.  

Configure your webserver to proxy requests to RT's 
virtual directory to the apache instance you just set up.

TODO: doc the apache configs needed to do this.

The same technique can be used to run multiple RT2 instances on the same host.