Page 1 of 1
chown: `apache:apache': invalid user
Posted: Wed Feb 02, 2005 11:04 pm
by kamanna
I have successfully completed a ?make? of ZoneMinder 1.19.5. I now am attempting to install as shown:
linux:/usr/local/zm-1.19.5 # make install
In two places in the install, the following error is displayed:
chown: `apache:apache': invalid user
According to YaST - I have Apache2 already installed and enabled ? I don't know if that means I need to change the call to chown to 'apache2:apache' or something like that. I am running SuSE Pro 9.2. PLEASE HELP!
Posted: Wed Feb 02, 2005 11:46 pm
by zoneminder
You need to check which user your apache daemon is running as. The simplest way is probably with ps but I expect there are more elegant ways to find out. I don't know enough about SUSE to be more specific. You will probably need to rerun configure and all the steps thereafter if it's not apache:apache as you have used already.
Phil
Posted: Thu Feb 03, 2005 5:07 pm
by lazyleopard
Is there any reason for anything other than the events directory tree to be owned by the id being used to run zoneminder, and can zoneminder run under an id that is not the same as the webserver's, or does that break stuff? (My suspiscion is that the need to access shared memory is what constrains this?)
Posted: Thu Feb 03, 2005 6:22 pm
by zoneminder
Possibly not. It's just very fiddly trying to figure what can and can't be owned and/or accessed by what. I'm quite prepared to accept that this area might be open to rationalisation. The problem as I see it is that as ZM installs system binaries that (probably) need to be owned by root (to access and chmod devices etc) and the web stuff is best not owned by root so who should own it? I plumped for the web user but it could probably be any other non-privileged user I guess.
Phil,
Posted: Fri Feb 04, 2005 2:04 am
by kamanna
I'm not sure I completely understand the previous two posts, but as I understand it, the Apache daemon must own the source files, and thus the chown commands that are failing are attempting to give the Apache Daemon the privileges for this.
However I still am unskilled enough to be able to determine which user my Apache Daemon is running as. I have found the existence of the script that launches the Apache2 Daemon in the /etc/init.d/ folder, but I am having trouble finding this info. ?ps -A? produces a long list, but Apache or Apache2 is not listed. I apologize for being a pain, but I am a little lost here.
Thank you.
Posted: Fri Feb 04, 2005 3:55 am
by cordel
Try this
ps -Af |grep httpd
If you have the service running you should be able to see whom owns the process for apache.
Cheers,
Cordel
Posted: Fri Feb 04, 2005 7:12 am
by kamanna
Running the command you supplied produced the following:
root 21561 1 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
Based on that, would the Configure command arguments be:
--with-webuser=root --with-webgroup=apache
or:
--with-webuser=root --with-webgroup=root
Posted: Fri Feb 04, 2005 9:18 pm
by cordel
You should see more than that.
Start the web server then run the query.
Posted: Fri Feb 04, 2005 10:47 pm
by kamanna
I'm sorry, what I showed you was the parent process, I assumed that was what was needed. Shown below is the complete output from the command:
linux:~ # cd /usr/local/zm-1.19.5
linux:/usr/local/zm-1.19.5 # ps -Af |grep httpd
root 21561 1 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 21563 21561 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 21564 21561 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 21565 21561 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 21566 21561 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 21567 21561 0 Feb02 ? 00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
root 27070 27063 0 10:51 pts/1 00:00:00 grep httpd
Thank you again for your help!
Posted: Sat Feb 05, 2005 12:47 am
by cordel
So your user for the process is wwwrun.
The group is probably the same.
use this in your configure script.
Cheers,
Cordel
Posted: Tue Feb 08, 2005 12:04 pm
by lazyleopard
I figured I wanted things this way:
- The start-up/shutdown script runs as root, and deals with the business of setting the correct process ownership for the running processes.
- The webserver and zoneminder daemons should not run as root.
- The ID that is used for the webserver and daemons needs to be able to write to the events directory tree and to update the database.
- The ID that is used to run the webserver should not be able to modify any of the executables.
I addressed it like this:
- All the executables and PHP code are owned by root:root.
- All files in the zoneminder DocumentRoot directory have permissions 644.
- All executables in cgi-bin and bin have permissions 755. None of them apart from zmfix (which is only needed once anyway, and can then be disabled) seems to be suid (which is good). Ideally anything containing passwords wouldn't be world-readable. I've not yet experimented with 711 permission on the executable stuff, though.
- The events, images, sounds and temp sub-directories are owned by the webserver/zoneminder ID.
Posted: Tue Feb 08, 2005 4:19 pm
by rmo
On SuSE 9.2 compile zoneminder
--with-webuser=wwwrun --with-webgroup=www
rmo