[CentOS] Odd problem with updates to the recent CR

Tue Aug 11 18:45:28 UTC 2015
m.roth at 5-cent.us <m.roth at 5-cent.us>

Richard wrote:
>> From: m.roth at 5-cent.us
>> Richard wrote:
>>>> From: m.roth at 5-cent.us
>> <snip>
>>>> Anyway, starting late last week, we found issues - as in, its
>>>> process, which runs under, and is started by, apache, was
>>>> suddenly pegging a CPU or so. Trying to stop httpd, that
>>>> worked... but this idiot process never did (and it's ugly to
>>>> clean up after).
>>>>
>>>> What we just this morning found out to be the problem is that
>>>> some package seems to change the permissions on /var/log/httpd
>>>> to 700 from 770. The result was that this ...thing... couldn't
>>>> write to its own logs, running as apache:root, while
>>>> /var/log/httpd was root:root.
>>>>
>>>> I just did rpm -q httpd --scripts, and that doesn't show
>>>> anything, so as I don't know what package did it.... If anyone
>>>> knows, I'd like to know.
>>>
>>> I didn't try poking at the rpm too much, but just checked and
>>> found that the httpd-2.2.15-45 rpm, that's part of the (regular)
>>> 6.7 update, will change the permissions on the /var/log/httpd
>>> directory (but not the files in it) to 700 and the ownership
>>> (again, of the directory, not the included files) to root.root
>>> from whatever you may have set them to. Those are the same
>>> ownerships/permissions that are the default in 6.6.
>>
<snip>
>> And there's no reference to /var/log/httpd.
>>
>> So, since I haven't yet found where /var/log/httpd is created,
>> what would a default package make the ownership of the directory?
>> Does it expect it to be apache:root?
>>
>> Or does it expect that httpd run as apache:apache, and then
>> /var/log/httpd should be apache:apache?
>>
>> Certainly, httpd shouldn't be running as root....
>
> I simply mucked with the permissions and ownerships of the
> /var/log/httpd directory/files on a 6.7 system and then did "yum
> reinstall" of the httpd-2.2.15-45 rpm that's part of 6.7 and noted
> what happened. I happen to also have a 6.6 system and compared
> things between the two, so can say that the 6.7 and 6.6
> /var/log/httpd directory defaults are the same -- 700 / root.root.

Right. I can't do that. I don't have a system to set it up on that way.
>
> The default is that httpd starts as root and then spawns its worker
> tasks as the user set in the "User" directive in the httpd.conf.

Ahhh! I did know that, but had forgotten it.
<snip>
> Given that, I found it slightly amusing that your "security tool",
> seemingly running as "apache", had write access to (and ownership
> control of?) the httpd log directory and files.

It ain't mine. It's a required thing (and note that the division that
mandates this stuff is very heavily <blinder>WINDOWS!!!<blinder>

SiteMinder is put out by Computer Associates, a huge company that was
putting out very expensive and popular mainframe software decades ago, and
hasn't gotten any smaller.... And I do not believe they've ever wrapped
their heads around Unix, much less Linux. Actually, I was talking to
someone from our internal SiteMinder support, and asked them to *please*
put an enhancement request into CA to add an selinux policy, so I don't
have to fight it with every release... and he says they've got two
requests in now....

       mark