Thanks Stephen. :)
It is also odd that things like /var/run, /var/log, and /var/lib are in add-in packages, not in bos.rte or similar packages. For example, /var/lib is in X11.samples.apps.clients, X11.apps.xdm, and rpm.rte. It seems like this has a potential that uninstalling or installing samples or xdm could modify access controls on important system wide directories.
------------------------------
Edward Davignon
------------------------------
Original Message:
Sent: Thu June 17, 2021 12:03 PM
From: Stephen Ulmer
Subject: httpd start script changes /var/run permissions
That is a *most excellent* catch!
You are my hero until at least lunch time. :)
Liberty,
--
Stephen L. Ulmer
Enterprise Architect
Mainline Information Systems
(m) 352-870-8649
It is probably worth noting that there is a small inconsistency of ownership of /var/run in AIX itself:
$ sudo sh -c 'ls -ld /usr/lpp/*/inst_root/var/run'
drwxr-xr-x 2 bin bin 256 Aug 22 2018 /usr/lpp/X11.apps/inst_root/var/run
drwxr-xr-x 2 root system 256 Oct 21 2019 /usr/lpp/bos.aso/inst_root/var/run
$ oslevel -s
7200-04-03-2038
$ lslpp -l -Or $( lslpp -cw /var/run | awk -F: '<bq>=="/var/run"{print $2}' | sort -u )</bq>
Fileset Level State Description
----------------------------------------------------------------------------
Path: /etc/objrepos
X11.apps.xdm 7.2.3.0 COMMITTED AIXwindows xdm Application
bos.aso 7.2.4.1 COMMITTED Active System Optimizer
$ restore -Tavqf bos.aso.7.2.4.0.I 2>&- | grep /var/run\$
755 root system 0 ./usr/lpp/bos.aso/inst_root/var/run
$ cd "$lpp724"
$ restore -Tavqf bos.aso.7.2.4.0.I 2>&- | grep /var/run\$
755 root system 0 ./usr/lpp/bos.aso/inst_root/var/run
$ restore -Tavqf X11.apps.7.2.4.0.I 2>&- | grep /var/run\$
755 bin bin 0 ./usr/lpp/X11.apps/inst_root/var/run
$ cd "$lpp723"
$ restore -Tavqf X11.apps.7.2.3.0.I 2>&- | grep /var/run\$
755 bin bin 0 ./usr/lpp/X11.apps/inst_root/var/run
$
------------------------------
Edward Davignon
Original Message:
Sent: Tue June 15, 2021 09:15 AM
From: Ayappan P
Subject: httpd start script changes /var/run permissions
Yes , that's right.
It's a problem with the %files section.
%attr(0700,root,system) %dir %{localstatedir}/run
We will fix it and upload a new release.
------------------------------
Ayappan P
Original Message:
Sent: Tue June 15, 2021 08:20 AM
From: Stephen Ulmer
Subject: httpd start script changes /var/run permissions
This could also be a bad (naive) specification in the %files section of the RPM spec, as opposed to anything that happens in a %pre or %post script.
--
Stephen L. Ulmer
Enterprise Architect
Mainline Information Systems
(m) 352-870-8649
Original Message:
Sent: 6/15/2021 5:39:00 AM
From: Pavlo Greenberg
Subject: RE: httpd start script changes /var/run permissions
@SANKET RATHI, you're right, I've had a mistake in my investigation. I've made a bit more check: removed all my corrections from the script and then ran start/stop/restart httpd - nothing got changed; then I rebooted the host - nothing got changed either; then I forcibly reinstalled the httpd package (yum reinstall httpd) - and finally had got /var/run permissions changed. So it's not 'mkdir -p' that is really the culprit, but some %pre- or %post- installation script in the rpm package.
Sorry for confusing all of you guys.
------------------------------
Pavlo Greenberg
Original Message:
Sent: Tue June 15, 2021 03:44 AM
From: SANKET RATHI
Subject: httpd start script changes /var/run permissions
Hi Pavlo,
mkdir -p should not change the permission of a directory if it is already there. Am I missing something ?
Can you please let me know exact sequence and how the permission got changed?
------------------------------
SANKET RATHI
Original Message:
Sent: Tue June 08, 2021 08:46 AM
From: Pavlo Greenberg
Subject: httpd start script changes /var/run permissions
Hi,
Every time I start/restart httpd (installed from IBM repo, httpd-2.4.46-1.ppc) the /var/run directory permissions got changed, that makes it impossible for processes that write PID-files to subdirectories with non-root permissions to start. I made small investigation and found that it is caused by the line in /etc/rc.d/init.d/httpd script:
$MKDIR -p /var/run
I changed the script this way:
if [ ! -d "/var/run" ]
then
$MKDIR -p /var/run
fi
Now the script does not re-write directory permissions. Is it possible to change the script in RPM package like that or maybe some other way, in order to make it check the /var/run directory permissions/existence and does not change them unnecessarily?
------------------------------
Sincerely yours,
Pavlo Greenberg
------------------------------
#AIXOpenSource