Richard wrote: >> From: m.roth at 5-cent.us <snip> >> Anyway, starting late last week, we found issues - as in, its >> process, which runs under, and is started by, apache, was suddenly >> pegging a CPU or so. Trying to stop httpd, that worked... but this >> idiot process never did (and it's ugly to clean up after). >> >> What we just this morning found out to be the problem is that some >> package seems to change the permissions on /var/log/httpd to 700 >> from 770. The result was that this ...thing... couldn't write to >> its own logs, running as apache:root, while /var/log/httpd was >> root:root. >> >> I just did rpm -q httpd --scripts, and that doesn't show anything, >> so as I don't know what package did it.... If anyone knows, I'd >> like to know. > > I didn't try poking at the rpm too much, but just checked and found > that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7 > update, will change the permissions on the /var/log/httpd directory > (but not the files in it) to 700 and the ownership (again, of the > directory, not the included files) to root.root from whatever you > may have set them to. Those are the same ownerships/permissions that > are the default in 6.6. Really! Ok, how did you see that? When I ran rpm -q httpd --scripts, I got preinstall scriptlet (using /bin/sh): # Add the "apache" user getent group apache >/dev/null || groupadd -g 48 -r apache getent passwd apache >/dev/null || \ useradd -r -u 48 -g apache -s /sbin/nologin \ -d /var/www -c "Apache" apache exit 0 postinstall scriptlet (using /bin/sh): # Register the httpd service /sbin/chkconfig --add httpd /sbin/chkconfig --add htcacheclean preuninstall scriptlet (using /bin/sh): if [ $1 = 0 ]; then /sbin/service httpd stop > /dev/null 2>&1 /sbin/chkconfig --del httpd /sbin/service htcacheclean stop > /dev/null 2>&1 /sbin/chkconfig --del htcacheclean fi posttrans scriptlet (using /bin/sh): test -f /etc/sysconfig/httpd-disable-posttrans || \ /sbin/service httpd condrestart >/dev/null 2>&1 || : And there's no reference to /var/log/httpd. > > I.e., it appears that someone/thing modified the /var/log/httpd > directory permissions and ownerships from the default and the > updated httpd put them back. > > Isn't there a bit of a security issue in your (modified) setup with > those files being able to be written to by the apache user? So, since I haven't yet found where /var/log/httpd is created, what would a default package make the ownership of the directory? Does it expect it to be apache:root? Or does it expect that httpd run as apache:apache, and then /var/log/httpd should be apache:apache? Certainly, httpd shouldn't be running as root.... mark