From 3ef62a0570055da710328937e7f65dbb2c027c62 Mon Sep 17 00:00:00 2001 From: ivan Date: Mon, 12 Aug 2002 06:17:09 +0000 Subject: import rt 2.0.14 --- rt/docs/Security | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rt/docs/Security (limited to 'rt/docs/Security') diff --git a/rt/docs/Security b/rt/docs/Security new file mode 100644 index 000000000..c9787ac52 --- /dev/null +++ b/rt/docs/Security @@ -0,0 +1,25 @@ +RT2 runs setgid to some group (it defaults to 'rt'). + +rt's configuration file, 'config.pm', is not world readable because it +contains rt's database password. If a user gets access to this file, he +can arbitrarily manipulate the RT database. This is bad. You don't want +this to happen. config.pm is mode 550. No users should be members of +the 'rt' group unless you want them to be able to obtain your rt password. + +If you're running the web interface, you'll need to make sure your webserver +has access to config.pm. You could do this by letting your webserver's user +be a member of the 'rt' group. This has the disadvantage of letting +any mod_perl code on your web server have access to your RT password. + +Alternatively, you can run RT2 on its own apache instance bound to a high +port on 127.0.0.1 +which runs as a non-priviledged user which is a member of the group 'rt'. + +Configure your webserver to proxy requests to RT's +virtual directory to the apache instance you just set up. + +TODO: doc the apache configs needed to do this. + +The same technique can be used to run multiple RT2 instances on the same host. + + -- cgit v1.2.1