The WebIssues Server Manual
Issue tracking and team collaboration system

Security settings

This chapter contains some directions for improving the security of the WebIssues Server installation to prevent unauthorized access to the key elements of the system. It's assumed that your operating system, web server and database server are already configured correctly.

General notes

The key elements which require special security settings are:

  • the configuration file

  • the file attachments

  • the log files

In a multi-user environment, these files must not be accessible for unauthorized users. The configuration file should only be readable by the web server process and the attachments and logs should be readable and writable for just the server.

It is also very important to make sure that these files are not accessible from the web, because by default they are stored in a publicly available location. The web server must be configured to deny access to these files.

File system

After copying the files to the web server's root directory or user's public HTML directory, it is likely that they are readable for all users of the system. In a multi-user environment, it is important to make sure that unauthorized user's won't be able to read or modify the configuration file, as that will give them access to the database.

Under Linux, use the following commands to create the configuration file and set its permissions. It's assumed that WebIssues is installed in /var/www/html and that Apache is running as user nobody:

# cd /var/www/html/config
# cp config-template.inc.php config.inc.php
# chown nobody config.inc.php
# chmod 500 config.inc.php

Under Windows, copy the file, open its properties and go to the Security tab. Make sure it is located on a file system with advanced security settings, for example NTFS. Disable access to this file for everyone except the web server process account. By default IIS is running as the Internet Guest Account; you can modify the IIS Application Pool settings to specify a dedicated user account for the WebIssues application.

The web server must have read and write access to the attachment storage and log directories. As attachments and logs may contain sensitive information, these directories should also be configured to be inaccessible for unauthorized users.

Under Linux, use the following commands to create the storage and log directories:

# cd /var/www/html
# mkdir storage log
# chown nobody storage log
# chmod 700 storage log

Under Windows, create these directories and modify their Security properties to disable access for all users except the web server process account and enable the Modify permission for that user.

Web server

The attachments, log files and templates are by default located in a directory accessible for everyone from the web. You can either move them to a different location (and update the configuration file accordingly) or configure the web server so that it denies access to these files from the web.

If you use Apache, the .htaccess file included in the distribution package disables access to the configuration files, attachments, log files and templates. It also disables displaying directory indexes and sets the default directory handler to index.php.

Make sure that Apache is configured to handle the .htaccess file. Set the AllowOverride option to All in the configuration file for the Apache server or the appropriate virtual host or directory to enable these settings.

If you use IIS, open the Internet Information Services manager and go to the WebIssues directory. Open the properties of the config directory and uncheck the Read option. Do the same for the templates, storage and log directories if they are located in the WebIssues directory. Also make sure that the Directory browsing option is unchecked for the entire WebIssues directory and the default document is set to index.php.