m.roth at 5-cent.us
2015-Aug-11 15:43 UTC
[CentOS] Odd problem with updates to the recent CR
We started updating via CR over a week ago, before 6.7 was official, and
just today identified an issue.... For (alleged) security, the agency I
work as a contractor for runs SiteMinder, from CA.
#insert rant_against_CA.h
Anyway, starting late last week, we found issues - as in, its process,
which runs under, and is started by, apache, was suddenly pegging a CPU or
so. Trying to stop httpd, that worked... but this idiot process never did
(and it's ugly to clean up after).
What we just this morning found out to be the problem is that some package
seems to change the permissions on /var/log/httpd to 700 from 770. The
result was that this ...thing... couldn't write to its own logs, running
as apache:root, while /var/log/httpd was root:root.
I just did rpm -q httpd --scripts, and that doesn't show anything, so as I
don't know what package did it.... If anyone knows, I'd like to know.
mark
------------ Original Message ------------> Date: Tuesday, August 11, 2015 11:43:21 -0400 > From: m.roth at 5-cent.us > > We started updating via CR over a week ago, before 6.7 was > official, and just today identified an issue.... For (alleged) > security, the agency I work as a contractor for runs SiteMinder, > from CA. > ># insert rant_against_CA.h > > Anyway, starting late last week, we found issues - as in, its > process, which runs under, and is started by, apache, was suddenly > pegging a CPU or so. Trying to stop httpd, that worked... but this > idiot process never did (and it's ugly to clean up after). > > What we just this morning found out to be the problem is that some > package seems to change the permissions on /var/log/httpd to 700 > from 770. The result was that this ...thing... couldn't write to > its own logs, running as apache:root, while /var/log/httpd was > root:root. > > I just did rpm -q httpd --scripts, and that doesn't show anything, > so as I don't know what package did it.... If anyone knows, I'd > like to know. > > markI didn't try poking at the rpm too much, but just checked and found that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7 update, will change the permissions on the /var/log/httpd directory (but not the files in it) to 700 and the ownership (again, of the directory, not the included files) to root.root from whatever you may have set them to. Those are the same ownerships/permissions that are the default in 6.6. I.e., it appears that someone/thing modified the /var/log/httpd directory permissions and ownerships from the default and the updated httpd put them back. Isn't there a bit of a security issue in your (modified) setup with those files being able to be written to by the apache user?
m.roth at 5-cent.us
2015-Aug-11 16:59 UTC
[CentOS] Odd problem with updates to the recent CR
Richard wrote:>> From: m.roth at 5-cent.us<snip>>> Anyway, starting late last week, we found issues - as in, its >> process, which runs under, and is started by, apache, was suddenly >> pegging a CPU or so. Trying to stop httpd, that worked... but this >> idiot process never did (and it's ugly to clean up after). >> >> What we just this morning found out to be the problem is that some >> package seems to change the permissions on /var/log/httpd to 700 >> from 770. The result was that this ...thing... couldn't write to >> its own logs, running as apache:root, while /var/log/httpd was >> root:root. >> >> I just did rpm -q httpd --scripts, and that doesn't show anything, >> so as I don't know what package did it.... If anyone knows, I'd >> like to know. > > I didn't try poking at the rpm too much, but just checked and found > that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7 > update, will change the permissions on the /var/log/httpd directory > (but not the files in it) to 700 and the ownership (again, of the > directory, not the included files) to root.root from whatever you > may have set them to. Those are the same ownerships/permissions that > are the default in 6.6.Really! Ok, how did you see that? When I ran rpm -q httpd --scripts, I got preinstall scriptlet (using /bin/sh): # Add the "apache" user getent group apache >/dev/null || groupadd -g 48 -r apache getent passwd apache >/dev/null || \ useradd -r -u 48 -g apache -s /sbin/nologin \ -d /var/www -c "Apache" apache exit 0 postinstall scriptlet (using /bin/sh): # Register the httpd service /sbin/chkconfig --add httpd /sbin/chkconfig --add htcacheclean preuninstall scriptlet (using /bin/sh): if [ $1 = 0 ]; then /sbin/service httpd stop > /dev/null 2>&1 /sbin/chkconfig --del httpd /sbin/service htcacheclean stop > /dev/null 2>&1 /sbin/chkconfig --del htcacheclean fi posttrans scriptlet (using /bin/sh): test -f /etc/sysconfig/httpd-disable-posttrans || \ /sbin/service httpd condrestart >/dev/null 2>&1 || : And there's no reference to /var/log/httpd.> > I.e., it appears that someone/thing modified the /var/log/httpd > directory permissions and ownerships from the default and the > updated httpd put them back. > > Isn't there a bit of a security issue in your (modified) setup with > those files being able to be written to by the apache user?So, since I haven't yet found where /var/log/httpd is created, what would a default package make the ownership of the directory? Does it expect it to be apache:root? Or does it expect that httpd run as apache:apache, and then /var/log/httpd should be apache:apache? Certainly, httpd shouldn't be running as root.... mark