rpm packaging changes for centos 6

2015-09-08 18:16:19 -05:00 · 2015-09-08 18:16:19 -05:00 · ebb6e7158a
parent 427c71f5e8
commit ebb6e7158a
3 changed files with 103 additions and 43 deletions
--- a/distros/redhat/README.CentOS
+++ b/distros/redhat/README.CentOS
@ -1,6 +1,22 @@
-================================================================================
-				NEW INSTALLS
-================================================================================
+What's New
+==========
+
+1. The ZoneMinder mysql account now requires "Create" permission. This change
+   must be done manually before ZoneMinder will run. See the installation steps
+   below.
+
+2. A new permission group called "Groups" has been added. This allows the
+   system administrator to assign "view", "edit", or "none" permission to
+   normal users, without giving them access to the rest of the ZoneMinder
+   system. During an upgrade, existing accounts will default to a Groups
+   permission of "none".
+
+3. This package now requires the HTTPS protocol to access the web portal.
+   Requests using HTTP will auto-redirect to HTTPS. See README.https for
+   more information.
+
+New installs
+============

 1. Unless you are already using MySQL server, you need to ensure that
   the server is confired to start during boot and properly secured
@ -11,7 +27,8 @@
     sudo chkconfig mysqld on

 2. Using the password for the root account set during the previous step, you
-   will need to create the ZoneMinder database:
+   will need to create the ZoneMinder database and configure a database
+   account for ZoneMinder to use:

     mysql -uroot -p
 	mysql> create database zm;
@ -21,20 +38,26 @@
     mysql -uroot -p < /usr/share/zoneminder/db/zm_create.sql
     mysqladmin -uroot -p reload

+   The database account credentials, zmuser/zmpass, are arbitrary. Set them to
+   anything that suits your envinroment.
+
 3. If you have chosen to change the zoneminder mysql credentials to something
   other than zmuser/zmpass then you must now edit /etc/zm.conf. Change
   ZM_DB_USER and ZM_DB_PASS to the values you created in step 2.

-4. IMPORTANT: Edit /etc/php.ini and put in the appropriate timezone for
-   date.timezone!
+4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local
+   timezone.  PHP will complain loudly if this is not set, or if it is set
+   incorrectly, and these complaints will show up in the zoneminder logging
+   system as errors

-5. The ZoneMinder web interface is disabled by default, you will need
-   to edit this file to enable it:
+   If you are not sure of the proper timezone specification to use, look at
+   http://php.net/date.timezone
+
+5. Verify the default ZoneMinder Apache configuration meets your needs:

     /etc/httpd/conf.d/zoneminder.conf

-   HINT: Most users will want to simply delete the line that says
-   "Deny from all".
+   When in doubt, leave this configuration as it is.

 6. Configure the web server to start automatically:

@ -45,8 +68,8 @@
   called local_zoneminder. A copy of this policy is in the documentation
   folder.
   
-   Unfortunately, this has not resolved all the SELinux issues so
-   most will want to disable SELinux permanently by editing the following:
+   It is still possible to run into SELinux issues, however. If this is case,
+   you can disable SELinux permanently by editing the following:
   
   /etc/selinux/conf
   
@ -66,27 +89,49 @@
 				UPGRADES
 ================================================================================

-1. Add additional permissions to the zmuser account:
+1. Verify /etc/zm.conf.
+
+   If zm.conf was manually edited before running the upgrade, the installation
+   may not overwrite it. In this case, it will create the file
+   /etc/zm.conf.rpmnew.
+
+   For example, this will happen if you are using database account credentials
+   other than zmuser/zmpass.
+
+   Compare /etc/zm.conf to /etc/zm.conf.rpmnew. Verify that zm.conf
+   contains any new config settings that may be in zm.conf.rpmnew.
+
+2. Verify permissions of the zmuser account.
+
+   Over time, the database account permissions required for normal operation
+   have changed. Verify the zmuser database account has been granted select,
+   insert, update, delete, lock tables, alter, and create permission to the
+   ZoneMinder database:

     mysql -u root -p
-     grant lock tables,alter,create on zm.* to
-     'zmuser'@localhost identified by 'zmpass';
+         mysql> show grants for zmuser@localhost;
+         mysql> exit;

-   Since this is an upgrade, the assumption is that the zmuser account exists
-   and already has select, insert, update, and delete permission.
+   See step 2 of the Installation section to add missing permissions.

-2. If you have previsouly changed the zoneminder mysql credentials to something
-   other than zmuser/zmpass then you must now edit /etc/zm.conf. Change
-   ZM_DB_USER and ZM_DB_PASS to their appropriate values.
+3. Verify the ZoneMinder Apache configuration file in the folder 
+   /etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there
+   may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file
+   exists, inspect it and merge anything new in that file with zoneminder.conf.

-3. You will need to upgrade the ZoneMinder database as described in the manual.
-   Only if step 1 was succesfully applied, may you run zmupdate like so:
+4. Upgrade the database before starting ZoneMinder.

-    sudo zmupdate.pl --version=<from version>
+   Most upgrades can be performed by executing the following command:
   
+     sudo zmupdate.pl

-   If unsure then run it this way:
+   Recent versions of ZoneMinder don't require any parameters added to the 
+   zmupdate command. However, if ZoneMinder complains, you may need to call
+   zmupdate in the following manner:

   sudo zmupdate.pl --user=root --pass=<mysql_root_pwd> --version=<from version>

+5. Now start zoneminder:
+
+	sudo service zoneminder start

--- a/distros/redhat/zoneminder.el6.conf.in
+++ b/distros/redhat/zoneminder.el6.conf.in
@ -1,26 +1,26 @@
-# When using Zoneminder's own authentication, recorded CCTV images are
-# accessible from the web directly without passing the authentication. This
-# means any attacker could see your CCTV images without a password. In order
-# to avoid this you can disable Zoneminder's authentication and configure
-# standard Apache authentication (see the Apache documentation for details on
-# this).
 #
-# If you still wish to use Zoneminder's own authentication, or have an
-# internal site which needs no authentication, you need to delete the line
-# marked below and restart Apache.
+# ZoneMinder Apache configuration file
+# With SSLRequire and HTTPS auto redirect
+# Modify this configuration to suit your requirements
+#
+
+# Auto Redirect HTTP requests to HTTPS
+RewriteEngine On
+RewriteCond %{HTTPS} !=on
+RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L]

 Alias /zm "@ZM_WEBDIR@"
 <Directory "@ZM_WEBDIR@">
+    SSLRequireSSL
    Options -Indexes MultiViews FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
-    # ZoneMinder no longer uses short tags so this is safe to leave disabled
-    # php_value short_open_tag 1
 </Directory>

 ScriptAlias /cgi-bin/zm "@ZM_WEBDIR@"
 <Directory "@ZM_WEBDIR@">
+    SSLRequireSSL
    AllowOverride All
    Options ExecCGI FollowSymLinks
    Order allow,deny
--- a/distros/redhat/zoneminder.el6.spec
+++ b/distros/redhat/zoneminder.el6.spec
@ -30,8 +30,8 @@ BuildRequires:  libcurl-devel vlc-devel ffmpeg-devel polkit-devel
 # cmake needs the following installed at build time due to the way it auto-detects certain parameters
 BuildRequires:  httpd ffmpeg

-Requires:   httpd php php-gd php-mysql mysql-server libjpeg-turbo polkit net-tools psmisc
-Requires:   perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Requires:   httpd php php-gd php-mysql mysql-server libjpeg-turbo polkit net-tools mod_ssl
+Requires:   psmisc perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 Requires:   perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip)
 Requires:   perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP)
 Requires:   libcurl vlc-core ffmpeg
@ -96,8 +96,20 @@ echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wa
 /usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null 
 /usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null

-# Display the README for post installation instructions
-/usr/bin/less %{_docdir}/%{name}-%{version}/README.CentOS
+# Upgrade from a previous version of zoneminder 
+if [ $1 -eq 2 ] ; then
+    # Freshen the database
+    /usr/bin/zmupdate.pl -f
+
+    # We can't run this automatically when new sql account permissions need to
+    # be manually added first
+    # Run zmupdate non-interactively
+    #/usr/bin/zmupdate.pl --nointeractive
+fi
+
+# Warn the end user to read the README file
+echo -e "\nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos to finish the\ninstallation or upgrade!\n"
+echo -e "\nThe README file is located here: %{_docdir}/%{name}-%{version}.\n"

 %preun
 if [ $1 -eq 0 ]; then
@ -170,6 +182,9 @@ rm -rf %{_docdir}/%{name}-%{version}
 %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/spool/zoneminder-upload

 %changelog
+* Tue Sep 8 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1 
+- Require https, freshen dB on updates.
+
 * Wed Feb 18 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1 
 - Include ONVIF support files