[CentOS] Odd problem with updates to the recent CR

Tue Aug 11 16:45:37 UTC 2015
Richard <lists-centos at listmail.innovate.net>


------------ Original Message ------------
> Date: Tuesday, August 11, 2015 11:43:21 -0400
> From: m.roth at 5-cent.us
>
> We started updating via CR over a week ago, before 6.7 was
> official, and just today identified an issue.... For (alleged)
> security, the agency I work as a contractor for runs SiteMinder,
> from CA.
> 
># insert rant_against_CA.h
> 
> Anyway, starting late last week, we found issues - as in, its
> process, which runs under, and is started by, apache, was suddenly
> pegging a CPU or so. Trying to stop httpd, that worked... but this
> idiot process never did (and it's ugly to clean up after).
> 
> What we just this morning found out to be the problem is that some
> package seems to change the permissions on /var/log/httpd to 700
> from 770. The result was that this ...thing... couldn't write to
> its own logs, running as apache:root, while /var/log/httpd was
> root:root.
> 
> I just did rpm -q httpd --scripts, and that doesn't show anything,
> so as I don't know what package did it.... If anyone knows, I'd
> like to know.
> 
>        mark

I didn't try poking at the rpm too much, but just checked and found
that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7
update, will change the permissions on the /var/log/httpd directory
(but not the files in it) to 700 and the ownership (again, of the
directory, not the included files) to root.root from whatever you
may have set them to. Those are the same ownerships/permissions that
are the default in 6.6. 

I.e., it appears that someone/thing modified the /var/log/httpd
directory permissions and ownerships from the default and the
updated httpd put them back.

Isn't there a bit of a security issue in your (modified) setup with
those files being able to be written to by the apache user?