Commentary Archive April 2007

Mantis: Secure MySQL Setup

This page was originally posted at http://www.futureware.biz/blog/index.php?title=mysql_setup_for_use_with_mantis&more=1&c=1&tb=1&pb=1external_link.

In some environments, additional database security may be desired when running a Mantis installation. The key to this is to restrict what the database userid can do. Note that database userids are distinct from system login or mantis user names, and are specific to the database system being used.

The following restrictions should be put in place:

  • The userid should be restricted in terms of where it can access the database from. MySQL permissions can lock out access by host name or IP address. The database should only be accessible from the web server.
  • The userid should be restricted in terms of what databases it can access. For the most secure setup, a new userid should be defined that only has access to the Mantis database.
  • The userid should be restricted in terms of what it can do to the database. The operating user only requires SELECT, INSERT, UPDATE, and DELETE privileges.

Thus, you should create a new userid within MySQL to run the Mantis installation. You can create this user using the following command while in the mysql command line tool:

GRANT SELECT, INSERT, UPDATE, DELETE ON bugtracker.* TO mantis_user@hostname IDENTIFIED by password; where mantis_user is the new mantis userid, hostname is the name of the host running the web server, and password is the password. You may need to repeat this command for both a host named 'localhost' and one with the hostname as defined in the host's DNS entry.

To update the database using the internal tools, you may require a userid with additional privileges. At a minimum, you would need to add ALTER, INDEX, CREATE, DELETE, and DROP privileges to another user for database upgrades. Before the 1.0.0 release, you would need to manually edit the config_inc.php file to replace the userid and password to update the database structures. With version 1.0.0, the system installer allows for a second administrative userid to be used specifically for this purpose. You can create this user using the following command while in the mysql command line tool:

GRANT ALL ON bugtracker.* TO mantis_admin@hostname IDENTIFIED by password;

2007-04-08

Mantis: register_globals Again

Yet another set of vulnerabilities have been discovered with PHP and register_globals. More details can be found at http://www.hardened-php.net/advisory_202005.79.htmlexternal_link.

Mantis has not required this setting to be on since version 0.18. The system check also flags it as a questionable practice.

If you are on a hosted site, or have applications that require this setting, you may not have complete control over this. You can, however, set this on a per directory basis, if you are using Apache. If you create a .htaccess file in your Mantis directory with the following content, the setting can be altered.

php_flag register_globals 0

Note that the directory's entry in httpd.conf MUST contain "AllowOverride All" or at least "AllowOverride Options" to read PHP settings from the .htaccess file.



2007-04-08

Project Management: The Weekly Report

Early in my career as an engineer and manager, I found that weekly reports were a pain to produce. It was usually something put together in a hurry on Friday afternoon or Monday morning.

As a project manager, these reports can be invaluable. They can provide a quick and simple insight on the health of your project. They can also help you target the areas to question in terms of progress or quality.

For example, when the same one week task shows up over the course of two or three weeks, it's time to talk to the individual responsible to see why progress is so slow. In other cases, observations by staff will point out dependencies that were missed in the original plan.

I like to use a simple format that will be less than 1 screen (20 lines) in email format.

  • What was Completed
  • What will be done this Week
  • What Issues need Help to Resolve.

2007-04-08
Copyright 2006, Logical Outcome Ltd.