This section of the site contains commentary on subjects relevant to our work or other interests.
The Mantis Bug Tracker setup is simple when running in a local environment, where you can control everything. in a LAMP system (Linux, Apache, MySQL, PHP), the Mantis BT installer is capable of most of the install. Only one additional step (creation of a MySQL userid) may be needed. See Secure MySQL Setup for details.
In a hosted environment, there is more work to do. This description is based on using cPanel. The steps are as follows:
- create a new database for Mantis. From the Control Panel, select MySQL Databases. Under Databases, enter a new name and click the Add Database button.
- create a new User (or two for the secure setup). Under "Users" on the same page, enter the new user name, and click "Add User".
- Link the new user(s) to the database. In the "Databases" section, you should see an entry for the new database. Note that it will be prefixed by your user account name (e.g., xyz_mantis). Underneath that, there will be a dropdown menu listing all or your database users (similarly with names like xyz_mantisweb). In the simple case, select the "all" privileges checkbox and click "Add User to Database" button. The database is now ready to use. The listing will look similar to that below:
- Copy the Mantis code to the hosted site. I usually ftp the code from my development site to the host. For a standard install, you can use the File Manager to upload the distribution .zip file to the "public_html" folder on your host. The folder can then be extracted by clicking on it, and selecting the "Extract Files from Folder" link.
- Make the new Mantis folder writable (to allow for initial setup). Select the Mantis folder in the File Manager, and select the "Change Permissions" link. Make the folder writable by clicking the checkbox at the intersection of "world" and "write" and clicking "Change".
- Run the Mantis installer to complete the installation. Access the web page at http://<your host>/mantisbt/admin/install.php. This should check your server and present you with a list of options to initialize the system. The boxes should be filled in as follows:
Type of Database Hostname (for Database Server) Username (for Database) Password (for Database) Database name (for Database) Admin Username (to create Database) Admin Password (to create Database) Print SQL Queries instead of Writing to the Database
Note that you will see at least one "Possible Problem" while installing the database. The installer will complain about not being able to log in to MySQL without specifying a database, as well as not being able to create the database. These messages can be ignored.
- Make the new Mantis folder read-only again. Select the Mantis folder in the File Manager, and select the "Change Permissions" link. Make the folder unwritable by clicking the checkbox at the intersection of "world" and "write" and clicking "Change".
Mantis should be fully functional now.
A report was submitted to the Mantis team this week describing a vulnerability in the PHPMailer class. This class is used by Mantis to send notification emails for issue updates.
The exploit takes advantage of a hole in how PHP implements the internal interface to the sendmail MTA. The setting for the sender address can be used to gain access to system resources. This exploit is described in http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 .
After reviewing the Mantis code, we determined that this vulnerability does not affect the operation of the tool. We read the sender address from configuration data. To use this exploit, someone would require administrator level access and/or direct access to the database. The probability of exploit is very low. A small patch will be added in the next release to prevent the problem completely.
This page was originally posted at http://www.futureware.biz/blog/index.php?title=mysql_setup_for_use_with_mantis&more=1&c=1&tb=1&pb=1.
In some environments, additional database security may be desired when running a Mantis installation. The key to this is to restrict what the database userid can do. Note that database userids are distinct from system login or mantis user names, and are specific to the database system being used.
The following restrictions should be put in place:
- The userid should be restricted in terms of where it can access the database from. MySQL permissions can lock out access by host name or IP address. The database should only be accessible from the web server.
- The userid should be restricted in terms of what databases it can access. For the most secure setup, a new userid should be defined that only has access to the Mantis database.
- The userid should be restricted in terms of what it can do to the database. The operating user only requires SELECT, INSERT, UPDATE, and DELETE privileges.
Thus, you should create a new userid within MySQL to run the Mantis installation. You can create this user using the following command while in the mysql command line tool:
GRANT SELECT, INSERT, UPDATE, DELETE ON bugtracker.* TO mantis_user@hostname IDENTIFIED by password; where mantis_user is the new mantis userid, hostname is the name of the host running the web server, and password is the password. You may need to repeat this command for both a host named 'localhost' and one with the hostname as defined in the host's DNS entry.
To update the database using the internal tools, you may require a userid with additional privileges. At a minimum, you would need to add ALTER, INDEX, CREATE, DELETE, and DROP privileges to another user for database upgrades. Before the 1.0.0 release, you would need to manually edit the config_inc.php file to replace the userid and password to update the database structures. With version 1.0.0, the system installer allows for a second administrative userid to be used specifically for this purpose. You can create this user using the following command while in the mysql command line tool:
GRANT ALL ON bugtracker.* TO mantis_admin@hostname IDENTIFIED by password;
Yet another set of vulnerabilities have been discovered with PHP and register_globals. More details can be found at http://www.hardened-php.net/advisory_202005.79.html.
Mantis has not required this setting to be on since version 0.18. The system check also flags it as a questionable practice.
If you are on a hosted site, or have applications that require this setting, you may not have complete control over this. You can, however, set this on a per directory basis, if you are using Apache. If you create a .htaccess file in your Mantis directory with the following content, the setting can be altered.
php_flag register_globals 0
Note that the directory's entry in httpd.conf MUST contain "AllowOverride All" or at least "AllowOverride Options" to read PHP settings from the .htaccess file.
Early in my career as an engineer and manager, I found that weekly reports were a pain to produce. It was usually something put together in a hurry on Friday afternoon or Monday morning.
As a project manager, these reports can be invaluable. They can provide a quick and simple insight on the health of your project. They can also help you target the areas to question in terms of progress or quality.
For example, when the same one week task shows up over the course of two or three weeks, it's time to talk to the individual responsible to see why progress is so slow. In other cases, observations by staff will point out dependencies that were missed in the original plan.
I like to use a simple format that will be less than 1 screen (20 lines) in email format.
- What was Completed
- What will be done this Week
- What Issues need Help to Resolve.