Richard wrote: >> From: m.roth at 5-cent.us >> Richard wrote: >>>> From: m.roth at 5-cent.us >> <snip> >>>> Anyway, starting late last week, we found issues - as in, its >>>> process, which runs under, and is started by, apache, was >>>> suddenly pegging a CPU or so. Trying to stop httpd, that >>>> worked... but this idiot process never did (and it's ugly to >>>> clean up after). >>>> >>>> What we just this morning found out to be the problem is that >>>> some package seems to change the permissions on /var/log/httpd >>>> to 700 from 770. The result was that this ...thing... couldn't >>>> write to its own logs, running as apache:root, while >>>> /var/log/httpd was root:root. >>>> >>>> I just did rpm -q httpd --scripts, and that doesn't show >>>> anything, so as I don't know what package did it.... If anyone >>>> knows, I'd like to know. >>> >>> I didn't try poking at the rpm too much, but just checked and >>> found that the httpd-2.2.15-45 rpm, that's part of the (regular) >>> 6.7 update, will change the permissions on the /var/log/httpd >>> directory (but not the files in it) to 700 and the ownership >>> (again, of the directory, not the included files) to root.root >>> from whatever you may have set them to. Those are the same >>> ownerships/permissions that are the default in 6.6. >> <snip> >> And there's no reference to /var/log/httpd. >> >> So, since I haven't yet found where /var/log/httpd is created, >> what would a default package make the ownership of the directory? >> Does it expect it to be apache:root? >> >> Or does it expect that httpd run as apache:apache, and then >> /var/log/httpd should be apache:apache? >> >> Certainly, httpd shouldn't be running as root.... > > I simply mucked with the permissions and ownerships of the > /var/log/httpd directory/files on a 6.7 system and then did "yum > reinstall" of the httpd-2.2.15-45 rpm that's part of 6.7 and noted > what happened. I happen to also have a 6.6 system and compared > things between the two, so can say that the 6.7 and 6.6 > /var/log/httpd directory defaults are the same -- 700 / root.root. Right. I can't do that. I don't have a system to set it up on that way. > > The default is that httpd starts as root and then spawns its worker > tasks as the user set in the "User" directive in the httpd.conf. Ahhh! I did know that, but had forgotten it. <snip> > Given that, I found it slightly amusing that your "security tool", > seemingly running as "apache", had write access to (and ownership > control of?) the httpd log directory and files. It ain't mine. It's a required thing (and note that the division that mandates this stuff is very heavily <blinder>WINDOWS!!!<blinder> SiteMinder is put out by Computer Associates, a huge company that was putting out very expensive and popular mainframe software decades ago, and hasn't gotten any smaller.... And I do not believe they've ever wrapped their heads around Unix, much less Linux. Actually, I was talking to someone from our internal SiteMinder support, and asked them to *please* put an enhancement request into CA to add an selinux policy, so I don't have to fight it with every release... and he says they've got two requests in now.... mark