[BlueOnyx:06956] IMPORTANT: Last nights YUM updates - official fix

Michael Stauber mstauber at blueonyx.it
Sun Apr 10 05:44:44 -05 2011 

Hi all,

As mentioned in [BlueOnyx:06936], last nights YUM updates contained a nasty 
surprise. The problem is with CentOS-5.6's mod_nss-1.0.8-3.el5 RPM.

Here is the official fix:
===============

1.) Login to the box by SSH as "admin".

2.) Type "su -" to gain root access. 

3.) Run the following commands:

/etc/init.d/httpd stop
find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
/etc/init.d/httpd start

That should fix the issues.

There are also reports of BlueOnyx's GUI defaulting back to the initial setup 
wizard after these updates, which I cannot confirm yet. If you run into that, 
please perform the setup wizard again.

--------------------------------------------------------------------------------------

Why it happened:
=============

The guys at RedHat (and CentOS) who rolled up the new "mod_nss" addressed some 
security issues with "mod_nss", which also changed around the required 
ownerships and permissions of the /etc/httpd/alias/ databases. 

In the past the files in /etc/httpd/alias/ were all root owned and had these 
ownerships and permissions:

OLD:
====

[root at derelik alias]# ls -la /etc/httpd/alias/*.db
-rw------- 1 root root 65536 Sep 23  2010 /etc/httpd/alias/cert8.db
-rw------- 1 root root 16384 Sep 23  2010 /etc/httpd/alias/key3.db
-rw------- 1 root root 16384 Sep 23  2010 /etc/httpd/alias/secmod.db

Now they're supposed to be this way:

NEW:
====

[root at cbq alias]# ls -la /etc/httpd/alias/*.db
-rw-r----- 1 root apache 65536 Sep 23  2010 /etc/httpd/alias/cert8.db
-rw-r----- 1 root apache 16384 Sep 23  2010 /etc/httpd/alias/key3.db
-rw-r----- 1 root apache 16384 Sep 23  2010 /etc/httpd/alias/secmod.db

As you can see: The group ownership got changed from "root" to "apache" and 
the databases are now also group readable, which they weren't in the past.

CentOS-5.6's new mod_nss-1.0.8-3.el5 RPM (which owns these files) was supposed 
to fix the ownerships and permissions, but didn't. Hence the problems.

I'll release an update to the BlueOnyx YUM repository which will automatically 
take care of this problem. But first I need to fix www.blueonyx.it and the 
mirrors as well. \o/

Thanks to Rodrigo and the others who helped to address the issue in the 
meantime!

-- 
With best regards

Michael Stauber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20110410/a9d6c7ce/attachment.html>

More information about the Blueonyx mailing list