From dc9a5b13fe93dfd80bcfeb7e267e6dfa431da036 Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Mon, 7 Sep 2015 15:50:42 -0500 Subject: [PATCH] redhat rpm packaging modifications --- distros/redhat/README.Centos7 | 71 ++++++++++++++------------- distros/redhat/README.https | 25 ++++++++++ distros/redhat/zoneminder.el7.conf.in | 23 ++++----- distros/redhat/zoneminder.el7.spec | 28 +++++++---- 4 files changed, 93 insertions(+), 54 deletions(-) create mode 100644 distros/redhat/README.https diff --git a/distros/redhat/README.Centos7 b/distros/redhat/README.Centos7 index 54f355397..89fe9736c 100644 --- a/distros/redhat/README.Centos7 +++ b/distros/redhat/README.Centos7 @@ -1,23 +1,19 @@ - What's New ========== -1. The Apache ScriptAlias has been changed from "/cgi-bin/zm/zms" to - "/cgi-bin-zm/zms". This has been to done to avoid this bug: - https://bugzilla.redhat.com/show_bug.cgi?id=973067 +1. The ZoneMinder mysql account now requires "Create" permission. This change + must be done manually before ZoneMinder will run. See the installation steps + below. - IMPORTANT: ZoneMinder will not update this value during an upgrade. You must - manually update ZM_PATH_ZMS yourself under Options. This does not affect - new installs. +2. A new permission group called "Groups" has been added. This allows the + system administrator to assign "view", "edit", or "none" permission to + normal users, without giving them access to the rest of the ZoneMinder + system. During an upgrade, existing accounts will default to a Groups + permission of "none". -2. During an rpm package upgrade, zmupdate.pl will now auto-update the database - and the zonemidner service will restart automatically. - -3. The ZoneMinder config file, zm.conf, has been moved under /etc/zm. - -4. Systemd. CentOS 7 uses Systemd instead of the legacy Sys V Init. Under the - hood, Systemd does things quite a bit differently. Prepare to go through a - learning curve if you have not done so already. +3. This package now requires the HTTPS protocol to access the web portal. + Requests using HTTP will auto-redirect to HTTPS. See README.https for + more information. New installs ============ @@ -36,7 +32,7 @@ New installs mysql -u root -p < /usr/share/zoneminder/db/zm_create.sql mysql -u root -p - mysql> grant select,insert,update,delete,lock tables,alter, create + mysql> grant select,insert,update,delete,lock tables,alter,create on zm.* to 'zmuser'@localhost identified by 'zmpass'; mysql> exit; mysqladmin -u root -p reload @@ -50,21 +46,22 @@ New installs step. 4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local - timezone. For whatever reason, PHP will complain loudly if this is not set, - or if it is set incorrectly, and these complaints will show up in the - zoneminder logging system as errors. + timezone. PHP will complain loudly if this is not set, or if it is set + incorrectly, and these complaints will show up in the zoneminder logging + system as errors. If you are not sure of the proper timezone specification to use, look at http://php.net/date.timezone -5. This package will automatically configure and install an SELinux policy - called local_zoneminder. A copy of this policy is in the documentation - folder. +5. Disable SELinux + + We currently do not have the resources to create and maintain an accurate + SELinux policy for ZoneMinder on CentOS 7. We will gladly accept pull + reqeusts from anyone who wishes to do the work. In the meantime, SELinux + will need to be disabled or put into permissive mode. - Maintaining an accurate SELinux policy file that does not create issues has - been a struggle. If SELinux blocks nortmal ZoneMinder acitivity, or you - feel you just don't need it, SELinux can be disabled for the current running - session with the following command: + To immediately disbale SELinux for the current seesion, issue the following + from the command line: sudo setenforce 0 @@ -99,7 +96,7 @@ Upgrades 2. Verify permissions of the zmuser account. - Overtime, the database account permissions required for normal operation + Over time, the database account permissions required for normal operation have changed. Verify the zmuser database account has been granted select, insert, update, delete, lock tables, alter, and create permission to the ZoneMinder database: @@ -108,20 +105,26 @@ Upgrades mysql> show grants for zmuser@localhost; mysql> exit; -3. Verify the database was upgraded automatically. + See step 2 of the Installation section to add missing permissions. - From the web console, ZoneMinder should show a status of "Running", and the - version number should have incremented. +3. Verify the ZoneMinder Apache configuration file in the folder + /etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there + may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file + exists, inspect it and merge anything new in that file with zoneminder.conf. - If it is not running, then try to start it. The web console will indicate - if there is a database version conflict. If this is the case, then you may - need to manually update the database from the command line: +4. Upgrade the database before starting ZoneMinder. + + Most upgrades can be performed by executing the following command: sudo zmupdate.pl - Modern versions of ZoneMinder don't require any parameters added to the + Recent versions of ZoneMinder don't require any parameters added to the zmupdate command. However, if ZoneMinder complains, you may need to call zmupdate in the following manner: sudo zmupdate.pl --user=root --pass= --version= +5. Now start zoneminder: + + sudo systemctl start zoneminder + diff --git a/distros/redhat/README.https b/distros/redhat/README.https new file mode 100644 index 000000000..23affeb96 --- /dev/null +++ b/distros/redhat/README.https @@ -0,0 +1,25 @@ +HTTPS is now a requirement +========================== + +This package now depends on Apache's mod_ssl pacakge. This will automatically +be installed along with ZoneMinder. Upon installation, the mod_ssl package +will create a default, self-signed certificate. This is the certificate that +ZoneMinder will use out of the box. + +Since the certificate is self-signed, you will get a warning from your browser +the first time you access the web portal. This is normal. + +This is not intended to be an all encompasing solution for everyone. ZoneMinder +will work just fine over HTTPS the way it is currently configured. However, +here are a couple of considerations you may want to take. + +1. Create your own certificate. The CentOS wiki has a guide that describes how + to do this: https://wiki.centos.org/HowTos/Https . Additionally, Googling + "centos certificate" reveals many articles on the subject. Note that some + third party applications, such as zmNinja, will require you to create a + certificate different than the default certificate on your machine. + +2. You can turn off HTTPS entirely by simply commenting out the SSLRequireSSL + directives found in /etc/httpd/conf.d/zoneminder.conf. You should also + comment out the HTTP -> HTTPS Rewrite rule. + diff --git a/distros/redhat/zoneminder.el7.conf.in b/distros/redhat/zoneminder.el7.conf.in index 28bada18e..564e4ccbd 100644 --- a/distros/redhat/zoneminder.el7.conf.in +++ b/distros/redhat/zoneminder.el7.conf.in @@ -1,16 +1,17 @@ -# When using Zoneminder's own authentication, recorded CCTV images are -# accessible from the web directly without passing the authentication. This -# means any attacker could see your CCTV images without a password. In order -# to avoid this you can disable Zoneminder's authentication and configure -# standard Apache authentication (see the Apache documentation for details on -# this). # -# If you still wish to use Zoneminder's own authentication, or have an -# internal site which needs no authentication, you need to delete the line -# marked below and restart Apache. +# ZoneMinder Apache configuration file +# With SSLRequire and HTTPS auto redirect +# Modify this configuration to suit your requirements +# + +# Auto Redirect HTTP requests to HTTPS +RewriteEngine On +RewriteCond %{HTTPS} !=on +RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L] Alias /zm "@ZM_WEBDIR@" + SSLRequireSSL Options -Indexes +MultiViews +FollowSymLinks AllowOverride All @@ -22,12 +23,11 @@ Alias /zm "@ZM_WEBDIR@" Order deny,allow Allow from all - # ZoneMinder no longer uses short tags so this is safe to leave disabled - # php_value short_open_tag 1 ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@" + SSLRequireSSL AllowOverride All Options +ExecCGI +FollowSymLinks @@ -40,3 +40,4 @@ ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@" Allow from all + diff --git a/distros/redhat/zoneminder.el7.spec b/distros/redhat/zoneminder.el7.spec index 1d53cbdd5..9793a8934 100644 --- a/distros/redhat/zoneminder.el7.spec +++ b/distros/redhat/zoneminder.el7.spec @@ -32,8 +32,8 @@ BuildRequires: ffmpeg ffmpeg-devel perl(X10::ActiveHome) perl(Astro::SunTime) # cmake needs the following installed at build time due to the way it auto-detects certain parameters BuildRequires: httpd polkit-devel -Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools psmisc -Requires: libjpeg-turbo vlc-core libcurl +Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools mod_ssl +Requires: psmisc libjpeg-turbo vlc-core libcurl Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip) Requires: perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP) @@ -87,20 +87,27 @@ fi /usr/bin/gpasswd -a %{zmuid_final} video /usr/bin/gpasswd -a %{zmuid_final} dialout +# Disabled. SELinux policy does not work for RHEL 7. # Create and load zoneminder selinux policy module -echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n" -/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null -/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null -/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null +#echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n" +#/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null +#/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null +#/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null # Upgrade from a previous version of zoneminder if [ $1 -eq 2 ] ; then + # Freshen the database + /usr/bin/zmupdate.pl -f + + # We can't run this automatically when new sql account permissions need to + # be manually added first # Run zmupdate non-interactively - /usr/bin/zmupdate.pl --nointeractive + #/usr/bin/zmupdate.pl --nointeractive fi -# Display the README for post installation instructions -/usr/bin/less %{_docdir}/%{name}-%{version}/README.Centos7 +# Warn the end user to read the README file +echo -e "/nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos7 to finish the\ninstallation or upgrade!\n" +echo -e "/nThe README file is located here: %{_docdir}/%{name}-%{version}." %preun if [ $1 -eq 0 ] ; then @@ -184,6 +191,9 @@ fi %changelog +* Mon Sep 7 2015 Andrew Bauer - 1.28.1 +- Require https, disable selinux module, freshen dB on updates. + * Sun Feb 8 2015 Andrew Bauer - 1.28.1 - Initial release for CentOS 7.