From ebb6e7158ac497813e1f09de2d45adcbfb2b5522 Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Tue, 8 Sep 2015 18:16:19 -0500 Subject: [PATCH] rpm packaging changes for centos 6 --- distros/redhat/README.CentOS | 101 +++++++++++++++++++------- distros/redhat/zoneminder.el6.conf.in | 22 +++--- distros/redhat/zoneminder.el6.spec | 23 +++++- 3 files changed, 103 insertions(+), 43 deletions(-) diff --git a/distros/redhat/README.CentOS b/distros/redhat/README.CentOS index 640d11ad1..05e2cb0ab 100644 --- a/distros/redhat/README.CentOS +++ b/distros/redhat/README.CentOS @@ -1,6 +1,22 @@ -================================================================================ - NEW INSTALLS -================================================================================ +What's New +========== + +1. The ZoneMinder mysql account now requires "Create" permission. This change + must be done manually before ZoneMinder will run. See the installation steps + below. + +2. A new permission group called "Groups" has been added. This allows the + system administrator to assign "view", "edit", or "none" permission to + normal users, without giving them access to the rest of the ZoneMinder + system. During an upgrade, existing accounts will default to a Groups + permission of "none". + +3. This package now requires the HTTPS protocol to access the web portal. + Requests using HTTP will auto-redirect to HTTPS. See README.https for + more information. + +New installs +============ 1. Unless you are already using MySQL server, you need to ensure that the server is confired to start during boot and properly secured @@ -11,7 +27,8 @@ sudo chkconfig mysqld on 2. Using the password for the root account set during the previous step, you - will need to create the ZoneMinder database: + will need to create the ZoneMinder database and configure a database + account for ZoneMinder to use: mysql -uroot -p mysql> create database zm; @@ -21,20 +38,26 @@ mysql -uroot -p < /usr/share/zoneminder/db/zm_create.sql mysqladmin -uroot -p reload + The database account credentials, zmuser/zmpass, are arbitrary. Set them to + anything that suits your envinroment. + 3. If you have chosen to change the zoneminder mysql credentials to something other than zmuser/zmpass then you must now edit /etc/zm.conf. Change ZM_DB_USER and ZM_DB_PASS to the values you created in step 2. -4. IMPORTANT: Edit /etc/php.ini and put in the appropriate timezone for - date.timezone! +4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local + timezone. PHP will complain loudly if this is not set, or if it is set + incorrectly, and these complaints will show up in the zoneminder logging + system as errors -5. The ZoneMinder web interface is disabled by default, you will need - to edit this file to enable it: + If you are not sure of the proper timezone specification to use, look at + http://php.net/date.timezone + +5. Verify the default ZoneMinder Apache configuration meets your needs: /etc/httpd/conf.d/zoneminder.conf - HINT: Most users will want to simply delete the line that says - "Deny from all". + When in doubt, leave this configuration as it is. 6. Configure the web server to start automatically: @@ -45,8 +68,8 @@ called local_zoneminder. A copy of this policy is in the documentation folder. - Unfortunately, this has not resolved all the SELinux issues so - most will want to disable SELinux permanently by editing the following: + It is still possible to run into SELinux issues, however. If this is case, + you can disable SELinux permanently by editing the following: /etc/selinux/conf @@ -66,27 +89,49 @@ UPGRADES ================================================================================ -1. Add additional permissions to the zmuser account: +1. Verify /etc/zm.conf. + + If zm.conf was manually edited before running the upgrade, the installation + may not overwrite it. In this case, it will create the file + /etc/zm.conf.rpmnew. + + For example, this will happen if you are using database account credentials + other than zmuser/zmpass. + + Compare /etc/zm.conf to /etc/zm.conf.rpmnew. Verify that zm.conf + contains any new config settings that may be in zm.conf.rpmnew. + +2. Verify permissions of the zmuser account. + + Over time, the database account permissions required for normal operation + have changed. Verify the zmuser database account has been granted select, + insert, update, delete, lock tables, alter, and create permission to the + ZoneMinder database: mysql -u root -p - grant lock tables,alter,create on zm.* to - 'zmuser'@localhost identified by 'zmpass'; + mysql> show grants for zmuser@localhost; + mysql> exit; - Since this is an upgrade, the assumption is that the zmuser account exists - and already has select, insert, update, and delete permission. + See step 2 of the Installation section to add missing permissions. + +3. Verify the ZoneMinder Apache configuration file in the folder + /etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there + may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file + exists, inspect it and merge anything new in that file with zoneminder.conf. + +4. Upgrade the database before starting ZoneMinder. + + Most upgrades can be performed by executing the following command: -2. If you have previsouly changed the zoneminder mysql credentials to something - other than zmuser/zmpass then you must now edit /etc/zm.conf. Change - ZM_DB_USER and ZM_DB_PASS to their appropriate values. - -3. You will need to upgrade the ZoneMinder database as described in the manual. - Only if step 1 was succesfully applied, may you run zmupdate like so: - - sudo zmupdate.pl --version= - - - If unsure then run it this way: + sudo zmupdate.pl + + Recent versions of ZoneMinder don't require any parameters added to the + zmupdate command. However, if ZoneMinder complains, you may need to call + zmupdate in the following manner: sudo zmupdate.pl --user=root --pass= --version= +5. Now start zoneminder: + + sudo service zoneminder start diff --git a/distros/redhat/zoneminder.el6.conf.in b/distros/redhat/zoneminder.el6.conf.in index 61e0530f8..e0808e08b 100644 --- a/distros/redhat/zoneminder.el6.conf.in +++ b/distros/redhat/zoneminder.el6.conf.in @@ -1,26 +1,26 @@ -# When using Zoneminder's own authentication, recorded CCTV images are -# accessible from the web directly without passing the authentication. This -# means any attacker could see your CCTV images without a password. In order -# to avoid this you can disable Zoneminder's authentication and configure -# standard Apache authentication (see the Apache documentation for details on -# this). # -# If you still wish to use Zoneminder's own authentication, or have an -# internal site which needs no authentication, you need to delete the line -# marked below and restart Apache. +# ZoneMinder Apache configuration file +# With SSLRequire and HTTPS auto redirect +# Modify this configuration to suit your requirements +# + +# Auto Redirect HTTP requests to HTTPS +RewriteEngine On +RewriteCond %{HTTPS} !=on +RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L] Alias /zm "@ZM_WEBDIR@" + SSLRequireSSL Options -Indexes MultiViews FollowSymLinks AllowOverride All Order allow,deny Allow from all - # ZoneMinder no longer uses short tags so this is safe to leave disabled - # php_value short_open_tag 1 ScriptAlias /cgi-bin/zm "@ZM_WEBDIR@" + SSLRequireSSL AllowOverride All Options ExecCGI FollowSymLinks Order allow,deny diff --git a/distros/redhat/zoneminder.el6.spec b/distros/redhat/zoneminder.el6.spec index 1d6d5ead1..d9487e480 100644 --- a/distros/redhat/zoneminder.el6.spec +++ b/distros/redhat/zoneminder.el6.spec @@ -30,8 +30,8 @@ BuildRequires: libcurl-devel vlc-devel ffmpeg-devel polkit-devel # cmake needs the following installed at build time due to the way it auto-detects certain parameters BuildRequires: httpd ffmpeg -Requires: httpd php php-gd php-mysql mysql-server libjpeg-turbo polkit net-tools psmisc -Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: httpd php php-gd php-mysql mysql-server libjpeg-turbo polkit net-tools mod_ssl +Requires: psmisc perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip) Requires: perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP) Requires: libcurl vlc-core ffmpeg @@ -96,8 +96,20 @@ echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wa /usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null /usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null -# Display the README for post installation instructions -/usr/bin/less %{_docdir}/%{name}-%{version}/README.CentOS +# Upgrade from a previous version of zoneminder +if [ $1 -eq 2 ] ; then + # Freshen the database + /usr/bin/zmupdate.pl -f + + # We can't run this automatically when new sql account permissions need to + # be manually added first + # Run zmupdate non-interactively + #/usr/bin/zmupdate.pl --nointeractive +fi + +# Warn the end user to read the README file +echo -e "\nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos to finish the\ninstallation or upgrade!\n" +echo -e "\nThe README file is located here: %{_docdir}/%{name}-%{version}.\n" %preun if [ $1 -eq 0 ]; then @@ -170,6 +182,9 @@ rm -rf %{_docdir}/%{name}-%{version} %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/spool/zoneminder-upload %changelog +* Tue Sep 8 2015 Andrew Bauer - 1.28.1 +- Require https, freshen dB on updates. + * Wed Feb 18 2015 Andrew Bauer - 1.28.1 - Include ONVIF support files