on 5/3/01 2:19 PM, "Nick Bauman" <[EMAIL PROTECTED]> wrote:
> A while ago I tried to run bugzilla in a chroot jail using thttpd (apache no
> longer supports chroot'ing, it seems). I got it somewhat working, but I gave
> up and went to bugrat, for better or worse.
>
> I think if you can chroot (and run unprivledged) bugzilla, this greatly
> minimizes any security implications you've seen. Without chrooting and
> running as an unprivledged user, bugzilla is not only insecure, it's
> insecurable.
The problem that I describe below is beyond the need to chroot things. Look
in the globals.pl file at the password that was used. Simple things such as
choosing secure passwords is a good start at security. So is making sure
that the file with your passwords in it is secure as well.
I'm not asking for perfection...I'm simply asking for people to keep up on
closing the known holes in a timely fashion. I don't think that is an
unreasonable expectation for a system administrator.
-jon
