File: security.html

package info (click to toggle)
webissues-server 0.8.3-2-1
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 392 kB
  • ctags: 610
  • sloc: php: 2,206; sql: 458; sh: 44; makefile: 9
file content (111 lines) | stat: -rw-r--r-- 8,884 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Security settings</title>
    <link rel="stylesheet" href="common/style.css" type="text/css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.73.0" />
    <meta name="keywords" content="webissues, issue tracking, bug tracking, team collaboration, server" />
    <link rel="start" href="index.html" title="The WebIssues Server Manual" />
    <link rel="up" href="installation.html" title="Chapter 2. Installation Guide" />
    <link rel="prev" href="database.html" title="Creating the database" />
    <link rel="next" href="configuration.html" title="Configuring WebIssues" />
  </head>
  <body>
    <div id="header">
      <div id="header-bar">
        <img id="header-logo" src="common/webissues.png" alt="WebIssues" />
        <div id="header-title">The <span class="application">WebIssues Server</span> Manual</div>
        <div id="header-abstract">Issue tracking and team collaboration system</div>
      </div>
      <div id="header-links"><a accesskey="h" href="index.html">Home</a> &raquo; <a accesskey="u" href="installation.html">Installation Guide</a></div>
    </div>
    <div class="navlinks">
      <div class="navleft">&laquo; <a accesskey="p" href="database.html">Creating the database</a></div>
      <div class="navright"><a accesskey="n" href="configuration.html">Configuring <span class="application">WebIssues</span></a> &raquo;</div>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <div class="titlepage">
        <div>
          <div>
            <h2 class="title" style="clear: both"><a id="security"></a>Security settings</h2>
          </div>
        </div>
      </div>
      <p>This chapter contains some directions for improving the security of the <span class="application">WebIssues Server</span> installation to prevent unauthorized access to the key elements of the system. It's assumed that your operating system, web server and database server are already configured correctly.</p>
      <div class="sect2" lang="en" xml:lang="en">
        <div class="titlepage">
          <div>
            <div>
              <h3 class="title"><a id="security_general"></a>General notes</h3>
            </div>
          </div>
        </div>
        <p>The key elements which require special security settings are:</p>
        <div class="itemizedlist">
          <ul type="disc">
            <li>
              <p>the configuration file</p>
            </li>
            <li>
              <p>the file attachments</p>
            </li>
            <li>
              <p>the log files</p>
            </li>
          </ul>
        </div>
        <p>In a multi-user environment, these files must not be accessible for unauthorized users. The configuration file should only be readable by the web server process and the attachments and logs should be readable and writable for just the server.</p>
        <p>It is also very important to make sure that these files are not accessible from the web, because by default they are stored in a publicly available location. The web server must be configured to deny access to these files.</p>
      </div>
      <div class="sect2" lang="en" xml:lang="en">
        <div class="titlepage">
          <div>
            <div>
              <h3 class="title"><a id="security_files"></a>File system</h3>
            </div>
          </div>
        </div>
        <p>After copying the files to the web server's root directory or user's public HTML directory, it is likely that they are readable for all users of the system. In a multi-user environment, it is important to make sure that unauthorized user's won't be able to read or modify the configuration file, as that will give them access to the database.</p>
        <p>Under Linux, use the following commands to create the configuration file and set its permissions. It's assumed that <span class="application">WebIssues</span> is installed in <code class="literal">/var/www/html</code> and that Apache is running as user <code class="literal">nobody</code>:</p>
        <div class="literallayout">
          <p><code class="prompt">#</code> <span class="command"><strong>cd /var/www/html/config</strong></span><br />
<code class="prompt">#</code> <span class="command"><strong>cp config-template.inc.php config.inc.php</strong></span><br />
<code class="prompt">#</code> <span class="command"><strong>chown nobody config.inc.php</strong></span><br />
<code class="prompt">#</code> <span class="command"><strong>chmod 500 config.inc.php</strong></span></p>
        </div>
        <p>Under Windows, copy the file, open its properties and go to the Security tab. Make sure it is located on a file system with advanced security settings, for example NTFS. Disable access to this file for everyone except the web server process account. By default IIS is running as the <span class="guilabel">Internet Guest Account</span>; you can modify the IIS Application Pool settings to specify a dedicated user account for the <span class="application">WebIssues</span> application.</p>
        <p>The web server must have read and write access to the attachment storage and log directories. As attachments and logs may contain sensitive information, these directories should also be configured to be inaccessible for unauthorized users.</p>
        <p>Under Linux, use the following commands to create the <code class="literal">storage</code> and <code class="literal">log</code> directories:</p>
        <div class="literallayout">
          <p><code class="prompt">#</code> <span class="command"><strong>cd /var/www/html</strong></span><br />
<code class="prompt">#</code> <span class="command"><strong>mkdir storage log</strong></span><br />
<code class="prompt">#</code> <span class="command"><strong>chown nobody storage log</strong></span><br />
<code class="prompt">#</code> <span class="command"><strong>chmod 700 storage log</strong></span></p>
        </div>
        <p>Under Windows, create these directories and modify their Security properties to disable access for all users except the web server process account and enable the <span class="guilabel">Modify</span> permission for that user.</p>
      </div>
      <div class="sect2" lang="en" xml:lang="en">
        <div class="titlepage">
          <div>
            <div>
              <h3 class="title"><a id="security_web"></a>Web server</h3>
            </div>
          </div>
        </div>
        <p>The attachments and logs are by default located in a directory accessible for everyone from the web. You can either move them to a different location (and update the <a class="link" href="configuration.html" title="Configuring WebIssues">configuration file</a> accordingly) or configure the web server so that it denies access to these files from the web.</p>
        <p>If you use Apache, the <code class="literal">.htaccess</code> file included in the distribution package disables access to the configuration files, attachments and log files. It also disables displaying directory indexes and sets the default directory handler to <code class="literal">index.php</code>.</p>
        <p>Make sure that Apache is configured to handle the <code class="literal">.htaccess</code> file. Set the <code class="literal">AllowOverride</code> option to <code class="literal">All</code> in the configuration file for the Apache server or the appropriate virtual host or directory to enable these settings.</p>
        <p>If you use IIS, open the Internet Information Services manager and go to the <span class="application">WebIssues</span> directory. Open the properties of the <code class="literal">config</code> directory and uncheck the <span class="guilabel">Read</span> option. Do the same for the <code class="literal">storage</code> and <code class="literal">log</code> directories if they are located in the <span class="application">WebIssues</span> directory. Also make sure that the <span class="guilabel">Directory browsing</span> option is unchecked for the entire <span class="application">WebIssues</span> directory and the default document is set to <code class="literal">index.php</code>.</p>
      </div>
    </div>
    <div class="navlinks">
      <div class="navleft">&laquo; <a accesskey="p" href="database.html">Creating the database</a></div>
      <div class="navright"><a accesskey="n" href="configuration.html">Configuring <span class="application">WebIssues</span></a> &raquo;</div>
    </div>
    <div id="copyright">
      <p class="copyright">Copyright © 2007-2008 WebIssues Team</p>
    </div>
  </body>
</html>