CentOS-5.6 update issues

Posted by: mstauber Category: General

In the early morning hours of Sunday CentOS-5.6 was released. This caused a few issues.

In the early morning hours of Sunday, 10th April CentOS-5.6 was released to the YUM repositories. This caused a few issues with the Apache webserver on BlueOnyx.

If you are affected, here is a quick fix:

1.) Login to your BlueOnyx by SSH as "admin".

2.) Use the command "su -" to gain root access.

3.) Run "yum clean all", followed by "yum update".

That will download and install an updated base-apache-* module, which will automatically correct the problem upon installation. 

Why it happened:

The guys at RedHat (and CentOS) who rolled up the new "mod_nss" addressed some security issues with "mod_nss", which also changed around the required ownerships and permissions of the /etc/httpd/alias/ databases.

In the past the files in /etc/httpd/alias/ were all root owned and had these ownerships and permissions:

OLD:

[root@derelik alias]# ls -la /etc/httpd/alias/*.db
-rw------- 1 root root 65536 Sep 23  2010 /etc/httpd/alias/cert8.db
-rw------- 1 root root 16384 Sep 23  2010 /etc/httpd/alias/key3.db
-rw------- 1 root root 16384 Sep 23  2010 /etc/httpd/alias/secmod.db


Now they're supposed to be this way:

NEW:

[root@cbq alias]# ls -la /etc/httpd/alias/*.db
-rw-r----- 1 root apache 65536 Sep 23  2010 /etc/httpd/alias/cert8.db
-rw-r----- 1 root apache 16384 Sep 23  2010 /etc/httpd/alias/key3.db
-rw-r----- 1 root apache 16384 Sep 23  2010 /etc/httpd/alias/secmod.db


As you can see: The group ownership got changed from "root" to "apache" and the databases are now also group readable, which they weren't in the past.

CentOS-5.6's new mod_nss-1.0.8-3.el5 RPM (which owns these files) was supposed to fix the ownerships and permissions, but didn't. Hence the problems.

The updated base-apache-* RPMs we just released to the YUM repositories runs commands to fix the group ownerships and permissions of the /etc/mail/alias/ databases upon installation. Additionally it adds a new Sausalito constructor named /usr/sausalito/constructor/base/apache/set_httpd_alias_perms.pl which - upon execution - fixes the permissions as well.

That fixes the issues.

If the problem ever happens again, you can simply run /usr/sausalito/constructor/base/apache/set_httpd_alias_perms.pl from the command line, or can restart CCEd (/etc/init.d/cced.init restart) to fix the ownership and permissions.


Return
General
Apr 10, 2011 Category: General Posted by: mstauber
Next page: Features