Richard wrote:
>> From: m.roth@xxxxxxxxx
<snip>
>> Anyway, starting late last week, we found issues - as in, its
>> process, which runs under, and is started by, apache, was suddenly
>> pegging a CPU or so. Trying to stop httpd, that worked... but this
>> idiot process never did (and it's ugly to clean up after).
>>
>> What we just this morning found out to be the problem is that some
>> package seems to change the permissions on /var/log/httpd to 700
>> from 770. The result was that this ...thing... couldn't write to
>> its own logs, running as apache:root, while /var/log/httpd was
>> root:root.
>>
>> I just did rpm -q httpd --scripts, and that doesn't show anything,
>> so as I don't know what package did it.... If anyone knows, I'd
>> like to know.
>
> I didn't try poking at the rpm too much, but just checked and found
> that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7
> update, will change the permissions on the /var/log/httpd directory
> (but not the files in it) to 700 and the ownership (again, of the
> directory, not the included files) to root.root from whatever you
> may have set them to. Those are the same ownerships/permissions that
> are the default in 6.6.
Really! Ok, how did you see that? When I ran rpm -q httpd --scripts, I got
preinstall scriptlet (using /bin/sh):
# Add the "apache" user
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
useradd -r -u 48 -g apache -s /sbin/nologin \
-d /var/www -c "Apache" apache
exit 0
postinstall scriptlet (using /bin/sh):
# Register the httpd service
/sbin/chkconfig --add httpd
/sbin/chkconfig --add htcacheclean
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service httpd stop > /dev/null 2>&1
/sbin/chkconfig --del httpd
/sbin/service htcacheclean stop > /dev/null 2>&1
/sbin/chkconfig --del htcacheclean
fi
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
/sbin/service httpd condrestart >/dev/null 2>&1 || :
And there's no reference to /var/log/httpd.
>
> I.e., it appears that someone/thing modified the /var/log/httpd
> directory permissions and ownerships from the default and the
> updated httpd put them back.
>
> Isn't there a bit of a security issue in your (modified) setup with
> those files being able to be written to by the apache user?
So, since I haven't yet found where /var/log/httpd is created, what would
a default package make the ownership of the directory? Does it expect it
to be apache:root?
Or does it expect that httpd run as apache:apache, and then /var/log/httpd
should be apache:apache?
Certainly, httpd shouldn't be running as root....
mark
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
