redhat rpm packaging modifications

bofhdk · Sep 7, 2015 · dc9a5b1 · dc9a5b1
1 parent 04fcc25
commit dc9a5b1
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 54 deletions.
diff --git a/distros/redhat/README.Centos7 b/distros/redhat/README.Centos7
@@ -1,23 +1,19 @@
-
 What's New
 ==========
 
-1. The Apache ScriptAlias has been changed from "/cgi-bin/zm/zms" to 
-   "/cgi-bin-zm/zms". This has been to done to avoid this bug:
-   https://bugzilla.redhat.com/show_bug.cgi?id=973067
-
-   IMPORTANT: ZoneMinder will not update this value during an upgrade. You must
-   manually update ZM_PATH_ZMS yourself under Options. This does not affect
-   new installs.
+1. The ZoneMinder mysql account now requires "Create" permission. This change
+   must be done manually before ZoneMinder will run. See the installation steps
+   below.
 
-2. During an rpm package upgrade, zmupdate.pl will now auto-update the database
-   and the zonemidner service will restart automatically.
+2. A new permission group called "Groups" has been added. This allows the
+   system administrator to assign "view", "edit", or "none" permission to
+   normal users, without giving them access to the rest of the ZoneMinder
+   system. During an upgrade, existing accounts will default to a Groups
+   permission of "none".
 
-3. The ZoneMinder config file, zm.conf, has been moved under /etc/zm.
-
-4. Systemd. CentOS 7 uses Systemd instead of the legacy Sys V Init. Under the
-   hood, Systemd does things quite a bit differently. Prepare to go through a
-   learning curve if you have not done so already.
+3. This package now requires the HTTPS protocol to access the web portal.
+   Requests using HTTP will auto-redirect to HTTPS. See README.https for
+   more information.
 
 New installs
 ============
@@ -36,7 +32,7 @@ New installs
 
      mysql -u root -p < /usr/share/zoneminder/db/zm_create.sql
      mysql -u root -p
-         mysql> grant select,insert,update,delete,lock tables,alter, create
+         mysql> grant select,insert,update,delete,lock tables,alter,create
                 on zm.* to 'zmuser'@localhost identified by 'zmpass';
          mysql> exit;
      mysqladmin -u root -p reload
@@ -50,21 +46,22 @@ New installs
    step.
 
 4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local
-   timezone.  For whatever reason, PHP will complain loudly if this is not set,
-   or if it is set incorrectly, and these complaints will show up in the
-   zoneminder logging system as errors.
+   timezone.  PHP will complain loudly if this is not set, or if it is set
+   incorrectly, and these complaints will show up in the zoneminder logging
+   system as errors.
 
    If you are not sure of the proper timezone specification to use, look at
    http://php.net/date.timezone
 
-5. This package will automatically configure and install an SELinux policy
-   called local_zoneminder. A copy of this policy is in the documentation
-   folder.
+5. Disable SELinux 
+
+   We currently do not have the resources to create and maintain an accurate
+   SELinux policy for ZoneMinder on CentOS 7. We will gladly accept pull
+   reqeusts from anyone who wishes to do the work. In the meantime, SELinux
+   will need to be disabled or put into permissive mode.
 
-   Maintaining an accurate SELinux policy file that does not create issues has
-   been a struggle. If SELinux blocks nortmal ZoneMinder acitivity, or you
-   feel you just don't need it, SELinux can be disabled for the current running
-   session with the following command:
+   To immediately disbale SELinux for the current seesion, issue the following
+   from the command line:
 
      sudo setenforce 0
 
@@ -99,7 +96,7 @@ Upgrades
 
 2. Verify permissions of the zmuser account.
 
-   Overtime, the database account permissions required for normal operation
+   Over time, the database account permissions required for normal operation
    have changed. Verify the zmuser database account has been granted select,
    insert, update, delete, lock tables, alter, and create permission to the
    ZoneMinder database:
@@ -108,20 +105,26 @@ Upgrades
          mysql> show grants for zmuser@localhost;
          mysql> exit;
 
-3. Verify the database was upgraded automatically.
+   See step 2 of the Installation section to add missing permissions.
 
-   From the web console, ZoneMinder should show a status of "Running", and the
-   version number should have incremented.
+3. Verify the ZoneMinder Apache configuration file in the folder 
+   /etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there
+   may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file
+   exists, inspect it and merge anything new in that file with zoneminder.conf.
 
-   If it is not running, then try to start it. The web console will indicate
-   if there is a database version conflict. If this is the case, then you may
-   need to manually update the database from the command line:
+4. Upgrade the database before starting ZoneMinder.
+
+   Most upgrades can be performed by executing the following command:
 
      sudo zmupdate.pl
 
-   Modern versions of ZoneMinder don't require any parameters added to the 
+   Recent versions of ZoneMinder don't require any parameters added to the 
    zmupdate command. However, if ZoneMinder complains, you may need to call
    zmupdate in the following manner:
 
    sudo zmupdate.pl --user=root --pass=<mysql_root_pwd> --version=<from version>
 
+5. Now start zoneminder:
+
+	sudo systemctl start zoneminder
+
diff --git a/distros/redhat/README.https b/distros/redhat/README.https
@@ -0,0 +1,25 @@
+HTTPS is now a requirement
+==========================
+
+This package now depends on Apache's mod_ssl pacakge. This will automatically
+be installed along with ZoneMinder. Upon installation, the mod_ssl package
+will create a default, self-signed certificate. This is the certificate that
+ZoneMinder will use out of the box. 
+
+Since the certificate is self-signed, you will get a warning from your browser
+the first time you access the web portal. This is normal.
+
+This is not intended to be an all encompasing solution for everyone. ZoneMinder
+will work just fine over HTTPS the way it is currently configured. However,
+here are a couple of considerations you may want to take.
+
+1. Create your own certificate. The CentOS wiki has a guide that describes how
+   to do this: https://wiki.centos.org/HowTos/Https . Additionally, Googling 
+   "centos certificate" reveals many articles on the subject. Note that some
+   third party applications, such as zmNinja, will require you to create a
+   certificate different than the default certificate on your machine.
+
+2. You can turn off HTTPS entirely by simply commenting out the SSLRequireSSL
+   directives found in /etc/httpd/conf.d/zoneminder.conf. You should also
+   comment out the HTTP -> HTTPS Rewrite rule.
+
diff --git a/distros/redhat/zoneminder.el7.conf.in b/distros/redhat/zoneminder.el7.conf.in
@@ -1,16 +1,17 @@
-# When using Zoneminder's own authentication, recorded CCTV images are
-# accessible from the web directly without passing the authentication. This
-# means any attacker could see your CCTV images without a password. In order
-# to avoid this you can disable Zoneminder's authentication and configure
-# standard Apache authentication (see the Apache documentation for details on
-# this).
 #
-# If you still wish to use Zoneminder's own authentication, or have an
-# internal site which needs no authentication, you need to delete the line
-# marked below and restart Apache.
+# ZoneMinder Apache configuration file
+# With SSLRequire and HTTPS auto redirect
+# Modify this configuration to suit your requirements
+#
+
+# Auto Redirect HTTP requests to HTTPS
+RewriteEngine On
+RewriteCond %{HTTPS} !=on
+RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L]
 
 Alias /zm "@ZM_WEBDIR@"
 <Directory "@ZM_WEBDIR@">
+    SSLRequireSSL
     Options -Indexes +MultiViews +FollowSymLinks
     AllowOverride All
     <IfModule mod_authz_core.c>
@@ -22,12 +23,11 @@ Alias /zm "@ZM_WEBDIR@"
         Order deny,allow
         Allow from all
     </IfModule>
-    # ZoneMinder no longer uses short tags so this is safe to leave disabled
-    # php_value short_open_tag 1
 </Directory>
 
 ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@"
 <Directory "@ZM_CGIDIR@">
+    SSLRequireSSL
     AllowOverride All
     Options +ExecCGI +FollowSymLinks
     <IfModule mod_authz_core.c>
@@ -40,3 +40,4 @@ ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@"
         Allow from all
     </IfModule>
 </Directory>
+
diff --git a/distros/redhat/zoneminder.el7.spec b/distros/redhat/zoneminder.el7.spec
@@ -32,8 +32,8 @@ BuildRequires: ffmpeg ffmpeg-devel perl(X10::ActiveHome) perl(Astro::SunTime)
 # cmake needs the following installed at build time due to the way it auto-detects certain parameters
 BuildRequires:  httpd polkit-devel
 
-Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools psmisc
-Requires: libjpeg-turbo vlc-core libcurl
+Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools mod_ssl
+Requires: psmisc libjpeg-turbo vlc-core libcurl
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 Requires: perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip)
 Requires: perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP)
@@ -87,20 +87,27 @@ fi
 /usr/bin/gpasswd -a %{zmuid_final} video
 /usr/bin/gpasswd -a %{zmuid_final} dialout
 
+# Disabled. SELinux policy does not work for RHEL 7.
 # Create and load zoneminder selinux policy module
-echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n"
-/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null
-/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
-/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
+#echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n"
+#/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null
+#/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
+#/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
 
 # Upgrade from a previous version of zoneminder 
 if [ $1 -eq 2 ] ; then
+    # Freshen the database
+    /usr/bin/zmupdate.pl -f
+
+    # We can't run this automatically when new sql account permissions need to
+    # be manually added first
     # Run zmupdate non-interactively
-    /usr/bin/zmupdate.pl --nointeractive
+    #/usr/bin/zmupdate.pl --nointeractive
 fi
 
-# Display the README for post installation instructions
-/usr/bin/less %{_docdir}/%{name}-%{version}/README.Centos7
+# Warn the end user to read the README file
+echo -e "/nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos7 to finish the\ninstallation or upgrade!\n"
+echo -e "/nThe README file is located here: %{_docdir}/%{name}-%{version}."
 
 %preun
 if [ $1 -eq 0 ] ; then
@@ -184,6 +191,9 @@ fi
 
 
 %changelog
+* Mon Sep 7 2015 Andrew Bauer <[email protected]> - 1.28.1 
+- Require https, disable selinux module, freshen dB on updates.
+
 * Sun Feb 8 2015 Andrew Bauer <[email protected]> - 1.28.1 
 - Initial release for CentOS 7.