Merge branch 'master' of github.com:ZoneMinder/ZoneMinder

This commit is contained in:
Isaac Connor 2015-09-10 13:20:06 -04:00
commit 204f2b1e22
10 changed files with 313 additions and 97 deletions

View File

@ -1,6 +1,22 @@
================================================================================
NEW INSTALLS
================================================================================
What's New
==========
1. The ZoneMinder mysql account now requires "Create" permission. This change
must be done manually before ZoneMinder will run. See the installation steps
below.
2. A new permission group called "Groups" has been added. This allows the
system administrator to assign "view", "edit", or "none" permission to
normal users, without giving them access to the rest of the ZoneMinder
system. During an upgrade, existing accounts will default to a Groups
permission of "none".
3. This package now requires the HTTPS protocol to access the web portal.
Requests using HTTP will auto-redirect to HTTPS. See README.https for
more information.
New installs
============
1. Unless you are already using MySQL server, you need to ensure that
the server is confired to start during boot and properly secured
@ -11,7 +27,8 @@
sudo chkconfig mysqld on
2. Using the password for the root account set during the previous step, you
will need to create the ZoneMinder database:
will need to create the ZoneMinder database and configure a database
account for ZoneMinder to use:
mysql -uroot -p
mysql> create database zm;
@ -21,20 +38,26 @@
mysql -uroot -p < /usr/share/zoneminder/db/zm_create.sql
mysqladmin -uroot -p reload
The database account credentials, zmuser/zmpass, are arbitrary. Set them to
anything that suits your envinroment.
3. If you have chosen to change the zoneminder mysql credentials to something
other than zmuser/zmpass then you must now edit /etc/zm.conf. Change
ZM_DB_USER and ZM_DB_PASS to the values you created in step 2.
4. IMPORTANT: Edit /etc/php.ini and put in the appropriate timezone for
date.timezone!
4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local
timezone. PHP will complain loudly if this is not set, or if it is set
incorrectly, and these complaints will show up in the zoneminder logging
system as errors
5. The ZoneMinder web interface is disabled by default, you will need
to edit this file to enable it:
If you are not sure of the proper timezone specification to use, look at
http://php.net/date.timezone
5. Verify the default ZoneMinder Apache configuration meets your needs:
/etc/httpd/conf.d/zoneminder.conf
HINT: Most users will want to simply delete the line that says
"Deny from all".
When in doubt, leave this configuration as it is.
6. Configure the web server to start automatically:
@ -45,8 +68,8 @@
called local_zoneminder. A copy of this policy is in the documentation
folder.
Unfortunately, this has not resolved all the SELinux issues so
most will want to disable SELinux permanently by editing the following:
It is still possible to run into SELinux issues, however. If this is case,
you can disable SELinux permanently by editing the following:
/etc/selinux/conf
@ -66,27 +89,49 @@
UPGRADES
================================================================================
1. Add additional permissions to the zmuser account:
1. Verify /etc/zm.conf.
If zm.conf was manually edited before running the upgrade, the installation
may not overwrite it. In this case, it will create the file
/etc/zm.conf.rpmnew.
For example, this will happen if you are using database account credentials
other than zmuser/zmpass.
Compare /etc/zm.conf to /etc/zm.conf.rpmnew. Verify that zm.conf
contains any new config settings that may be in zm.conf.rpmnew.
2. Verify permissions of the zmuser account.
Over time, the database account permissions required for normal operation
have changed. Verify the zmuser database account has been granted select,
insert, update, delete, lock tables, alter, and create permission to the
ZoneMinder database:
mysql -u root -p
grant lock tables,alter,create on zm.* to
'zmuser'@localhost identified by 'zmpass';
mysql> show grants for zmuser@localhost;
mysql> exit;
Since this is an upgrade, the assumption is that the zmuser account exists
and already has select, insert, update, and delete permission.
See step 2 of the Installation section to add missing permissions.
2. If you have previsouly changed the zoneminder mysql credentials to something
other than zmuser/zmpass then you must now edit /etc/zm.conf. Change
ZM_DB_USER and ZM_DB_PASS to their appropriate values.
3. Verify the ZoneMinder Apache configuration file in the folder
/etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there
may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file
exists, inspect it and merge anything new in that file with zoneminder.conf.
3. You will need to upgrade the ZoneMinder database as described in the manual.
Only if step 1 was succesfully applied, may you run zmupdate like so:
4. Upgrade the database before starting ZoneMinder.
sudo zmupdate.pl --version=<from version>
Most upgrades can be performed by executing the following command:
sudo zmupdate.pl
If unsure then run it this way:
Recent versions of ZoneMinder don't require any parameters added to the
zmupdate command. However, if ZoneMinder complains, you may need to call
zmupdate in the following manner:
sudo zmupdate.pl --user=root --pass=<mysql_root_pwd> --version=<from version>
5. Now start zoneminder:
sudo service zoneminder start

View File

@ -1,23 +1,21 @@
What's New
==========
1. The Apache ScriptAlias has been changed from "/cgi-bin/zm/zms" to
"/cgi-bin-zm/zms". This has been to done to avoid this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=973067
1. The ZoneMinder mysql account now requires "Create" permission. This change
must be done manually before ZoneMinder will run. See the installation steps
below.
IMPORTANT: ZoneMinder will not update this value during an upgrade. You must
manually update ZM_PATH_ZMS yourself under Options. This does not affect
new installs.
2. A new permission group called "Groups" has been added. This allows the
system administrator to assign "view", "edit", or "none" permission to
normal users, without giving them access to the rest of the ZoneMinder
system. During an upgrade, existing accounts will default to a Groups
permission of "none".
2. During an rpm package upgrade, zmupdate.pl will now auto-update the database
and the zonemidner service will restart automatically.
3. This package now requires the HTTPS protocol to access the web portal.
Requests using HTTP will auto-redirect to HTTPS. See README.https for
more information.
3. The ZoneMinder config file, zm.conf, has been moved under /etc/zm.
4. Systemd. CentOS 7 uses Systemd instead of the legacy Sys V Init. Under the
hood, Systemd does things quite a bit differently. Prepare to go through a
learning curve if you have not done so already.
4. This package ships with the new ZoneMinder API enabled.
New installs
============
@ -36,7 +34,7 @@ New installs
mysql -u root -p < /usr/share/zoneminder/db/zm_create.sql
mysql -u root -p
mysql> grant select,insert,update,delete,lock tables,alter, create
mysql> grant select,insert,update,delete,lock tables,alter,create
on zm.* to 'zmuser'@localhost identified by 'zmpass';
mysql> exit;
mysqladmin -u root -p reload
@ -50,21 +48,22 @@ New installs
step.
4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local
timezone. For whatever reason, PHP will complain loudly if this is not set,
or if it is set incorrectly, and these complaints will show up in the
zoneminder logging system as errors.
timezone. PHP will complain loudly if this is not set, or if it is set
incorrectly, and these complaints will show up in the zoneminder logging
system as errors.
If you are not sure of the proper timezone specification to use, look at
http://php.net/date.timezone
5. This package will automatically configure and install an SELinux policy
called local_zoneminder. A copy of this policy is in the documentation
folder.
5. Disable SELinux
Maintaining an accurate SELinux policy file that does not create issues has
been a struggle. If SELinux blocks nortmal ZoneMinder acitivity, or you
feel you just don't need it, SELinux can be disabled for the current running
session with the following command:
We currently do not have the resources to create and maintain an accurate
SELinux policy for ZoneMinder on CentOS 7. We will gladly accept pull
reqeusts from anyone who wishes to do the work. In the meantime, SELinux
will need to be disabled or put into permissive mode.
To immediately disbale SELinux for the current seesion, issue the following
from the command line:
sudo setenforce 0
@ -99,7 +98,7 @@ Upgrades
2. Verify permissions of the zmuser account.
Overtime, the database account permissions required for normal operation
Over time, the database account permissions required for normal operation
have changed. Verify the zmuser database account has been granted select,
insert, update, delete, lock tables, alter, and create permission to the
ZoneMinder database:
@ -108,20 +107,26 @@ Upgrades
mysql> show grants for zmuser@localhost;
mysql> exit;
3. Verify the database was upgraded automatically.
See step 2 of the Installation section to add missing permissions.
From the web console, ZoneMinder should show a status of "Running", and the
version number should have incremented.
3. Verify the ZoneMinder Apache configuration file in the folder
/etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there
may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file
exists, inspect it and merge anything new in that file with zoneminder.conf.
If it is not running, then try to start it. The web console will indicate
if there is a database version conflict. If this is the case, then you may
need to manually update the database from the command line:
4. Upgrade the database before starting ZoneMinder.
Most upgrades can be performed by executing the following command:
sudo zmupdate.pl
Modern versions of ZoneMinder don't require any parameters added to the
Recent versions of ZoneMinder don't require any parameters added to the
zmupdate command. However, if ZoneMinder complains, you may need to call
zmupdate in the following manner:
sudo zmupdate.pl --user=root --pass=<mysql_root_pwd> --version=<from version>
5. Now start zoneminder:
sudo systemctl start zoneminder

View File

@ -0,0 +1,25 @@
HTTPS is now a requirement
==========================
This package now depends on Apache's mod_ssl pacakge. This will automatically
be installed along with ZoneMinder. Upon installation, the mod_ssl package
will create a default, self-signed certificate. This is the certificate that
ZoneMinder will use out of the box.
Since the certificate is self-signed, you will get a warning from your browser
the first time you access the web portal. This is normal.
This is not intended to be an all encompasing solution for everyone. ZoneMinder
will work just fine over HTTPS the way it is currently configured. However,
here are a couple of considerations you may want to take.
1. Create your own certificate. The CentOS wiki has a guide that describes how
to do this: https://wiki.centos.org/HowTos/Https . Additionally, Googling
"centos certificate" reveals many articles on the subject. Note that some
third party applications, such as zmNinja, will require you to create a
certificate different than the default certificate on your machine.
2. You can turn off HTTPS entirely by simply commenting out the SSLRequireSSL
directives found in /etc/httpd/conf.d/zoneminder.conf. You should also
comment out the HTTP -> HTTPS Rewrite rule.

View File

@ -1,26 +1,26 @@
# When using Zoneminder's own authentication, recorded CCTV images are
# accessible from the web directly without passing the authentication. This
# means any attacker could see your CCTV images without a password. In order
# to avoid this you can disable Zoneminder's authentication and configure
# standard Apache authentication (see the Apache documentation for details on
# this).
#
# If you still wish to use Zoneminder's own authentication, or have an
# internal site which needs no authentication, you need to delete the line
# marked below and restart Apache.
# ZoneMinder Apache configuration file
# With SSLRequire and HTTPS auto redirect
# Modify this configuration to suit your requirements
#
# Auto Redirect HTTP requests to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L]
Alias /zm "@ZM_WEBDIR@"
<Directory "@ZM_WEBDIR@">
SSLRequireSSL
Options -Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
# ZoneMinder no longer uses short tags so this is safe to leave disabled
# php_value short_open_tag 1
</Directory>
ScriptAlias /cgi-bin/zm "@ZM_WEBDIR@"
<Directory "@ZM_WEBDIR@">
SSLRequireSSL
AllowOverride All
Options ExecCGI FollowSymLinks
Order allow,deny

View File

@ -30,8 +30,8 @@ BuildRequires: libcurl-devel vlc-devel ffmpeg-devel polkit-devel
# cmake needs the following installed at build time due to the way it auto-detects certain parameters
BuildRequires: httpd ffmpeg
Requires: httpd php php-gd php-mysql mysql-server libjpeg-turbo polkit net-tools psmisc
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: httpd php php-gd php-mysql mysql-server libjpeg-turbo polkit net-tools mod_ssl
Requires: psmisc perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip)
Requires: perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP)
Requires: libcurl vlc-core ffmpeg
@ -96,8 +96,20 @@ echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wa
/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
# Display the README for post installation instructions
/usr/bin/less %{_docdir}/%{name}-%{version}/README.CentOS
# Upgrade from a previous version of zoneminder
if [ $1 -eq 2 ] ; then
# Freshen the database
/usr/bin/zmupdate.pl -f
# We can't run this automatically when new sql account permissions need to
# be manually added first
# Run zmupdate non-interactively
#/usr/bin/zmupdate.pl --nointeractive
fi
# Warn the end user to read the README file
echo -e "\nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos to finish the\ninstallation or upgrade!\n"
echo -e "\nThe README file is located here: %{_docdir}/%{name}-%{version}.\n"
%preun
if [ $1 -eq 0 ]; then
@ -170,6 +182,9 @@ rm -rf %{_docdir}/%{name}-%{version}
%dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/spool/zoneminder-upload
%changelog
* Tue Sep 8 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1
- Require https, freshen dB on updates.
* Wed Feb 18 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1
- Include ONVIF support files

View File

@ -1,16 +1,17 @@
# When using Zoneminder's own authentication, recorded CCTV images are
# accessible from the web directly without passing the authentication. This
# means any attacker could see your CCTV images without a password. In order
# to avoid this you can disable Zoneminder's authentication and configure
# standard Apache authentication (see the Apache documentation for details on
# this).
#
# If you still wish to use Zoneminder's own authentication, or have an
# internal site which needs no authentication, you need to delete the line
# marked below and restart Apache.
# ZoneMinder Apache configuration file
# With SSLRequire and HTTPS auto redirect
# Modify this configuration to suit your requirements
#
# Auto Redirect HTTP requests to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L]
Alias /zm "@ZM_WEBDIR@"
<Directory "@ZM_WEBDIR@">
SSLRequireSSL
Options -Indexes +MultiViews +FollowSymLinks
AllowOverride All
<IfModule mod_authz_core.c>
@ -22,12 +23,11 @@ Alias /zm "@ZM_WEBDIR@"
Order deny,allow
Allow from all
</IfModule>
# ZoneMinder no longer uses short tags so this is safe to leave disabled
# php_value short_open_tag 1
</Directory>
ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@"
<Directory "@ZM_CGIDIR@">
SSLRequireSSL
AllowOverride All
Options +ExecCGI +FollowSymLinks
<IfModule mod_authz_core.c>
@ -40,3 +40,4 @@ ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@"
Allow from all
</IfModule>
</Directory>

View File

@ -32,8 +32,8 @@ BuildRequires: ffmpeg ffmpeg-devel perl(X10::ActiveHome) perl(Astro::SunTime)
# cmake needs the following installed at build time due to the way it auto-detects certain parameters
BuildRequires: httpd polkit-devel
Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools psmisc
Requires: libjpeg-turbo vlc-core libcurl
Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools mod_ssl
Requires: psmisc libjpeg-turbo vlc-core libcurl
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip)
Requires: perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP)
@ -87,20 +87,27 @@ fi
/usr/bin/gpasswd -a %{zmuid_final} video
/usr/bin/gpasswd -a %{zmuid_final} dialout
# Disabled. SELinux policy does not work for RHEL 7.
# Create and load zoneminder selinux policy module
echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n"
/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null
/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
#echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n"
#/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null
#/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
#/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
# Upgrade from a previous version of zoneminder
if [ $1 -eq 2 ] ; then
# Freshen the database
/usr/bin/zmupdate.pl -f
# We can't run this automatically when new sql account permissions need to
# be manually added first
# Run zmupdate non-interactively
/usr/bin/zmupdate.pl --nointeractive
#/usr/bin/zmupdate.pl --nointeractive
fi
# Display the README for post installation instructions
/usr/bin/less %{_docdir}/%{name}-%{version}/README.Centos7
# Warn the end user to read the README file
echo -e "\nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos7 to finish the\ninstallation or upgrade!\n"
echo -e "\nThe README file is located here: %{_docdir}/%{name}-%{version}.\n"
%preun
if [ $1 -eq 0 ] ; then
@ -184,6 +191,9 @@ fi
%changelog
* Mon Sep 7 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1
- Require https, disable selinux module, freshen dB on updates.
* Sun Feb 8 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1
- Initial release for CentOS 7.

View File

@ -357,6 +357,60 @@ our @options =
type => $types{boolean},
category => "system",
},
# PP - Google reCaptcha settings
{
name => "ZM_OPT_USE_GOOG_RECAPTCHA",
default => "no",
description => "Add Google reCaptcha to login page",
help => qqq("
This option allows you to include a google
reCaptcha validation at login. This means in addition to providing
a valid usernane and password, you will also have to
pass the reCaptcha test. Please note that enabling this
option results in the zoneminder login page reach out
to google servers for captcha validation. Also please note
that enabling this option will break 3rd party clients
like zmNinja and zmView as they also need to login to ZoneMinder
and they will fail the reCaptcha test.
"),
requires => [
{name=>"ZM_OPT_USE_AUTH", value=>"yes"}
],
type => $types {boolean},
category => "system",
},
{
name => "ZM_OPT_GOOG_RECAPTCHA_SITEKEY",
default => "...Insert your recaptcha site-key here...",
description => "Your recaptcha site-key",
help => qqq("You need to generate your keys from
the Google reCaptcha website.
Please refer to https://www.google.com/recaptcha/
for more details.
"),
requires => [
{name=>"ZM_OPT_USE_GOOG_RECAPTCHA", value=>"yes"}
],
type => $types {string},
category => "system",
},
{
name => "ZM_OPT_GOOG_RECAPTCHA_SECRETKEY",
default => "...Insert your recaptcha secret-key here...",
description => "Your recaptcha secret-key",
help => qqq("You need to generate your keys from
the Google reCaptcha website.
Please refer to https://www.google.com/recaptcha/
for more details.
"),
requires => [
{name=>"ZM_OPT_USE_GOOG_RECAPTCHA", value=>"yes"}
],
type => $types {string},
category => "system",
},
{
name => "ZM_DIR_EVENTS",
default => "events",

View File

@ -18,6 +18,31 @@
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
//
// PP - POST request handler for PHP which does not need extensions
// credit: http://wezfurlong.org/blog/2006/nov/http-post-from-php-without-curl/
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array(
'method' => 'POST',
'content' => $data
));
if ($optional_headers !== null) {
$params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = @fopen($url, 'rb', false, $ctx);
if (!$fp) {
throw new Exception("Problem with $url, $php_errormsg");
}
$response = @stream_get_contents($fp);
if ($response === false) {
throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
function getAffectedIds( $name )
{
$names = $name."s";
@ -42,6 +67,28 @@ if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST[
if ( !empty($action) )
{
// PP - lets validate reCaptcha if it exists
if (ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY && ZM_OPT_GOOG_RECAPTCHA_SITEKEY)
{
$url = 'https://www.google.com/recaptcha/api/siteverify';
$fields = array (
'secret'=> ZM_OPT_GOOG_RECAPTCHA_SECRETKEY,
'response' => $_REQUEST['g-recaptcha-response'],
'remoteip'=> $_SERVER['REMOTE_ADDR']
);
$res= do_post_request($url, http_build_query($fields));
$result = json_decode($res);
if ($result->success != 'true')
{
userLogout();
$view='login';
$refreshParent = true;
}
}
// General scope actions
if ( $action == "login" && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == "remote" || isset($_REQUEST['password']) ) )
{

View File

@ -20,6 +20,13 @@
xhtmlHeaders(__FILE__, translate('Login') );
?>
<!-- PP: Add recaptcha script if enabled -->
<?php
if (ZM_OPT_USE_GOOG_RECAPTCHA)
{
echo "<head> <script src='https://www.google.com/recaptcha/api.js'></script> </head>";
}
?>
<body>
<div id="page">
<div id="header">
@ -43,6 +50,13 @@ xhtmlHeaders(__FILE__, translate('Login') );
</tbody>
</table>
<input type="submit" value="<?php echo translate('Login') ?>"/>
<!-- PP: Added recaptcha widget if enabled -->
<?php
if (ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SITEKEY && ZM_OPT_GOOGLE_RECAPTCHA_SECRETKEY)
{
echo "<br/><br/><center> <div class='g-recaptcha' data-sitekey='".ZM_OPT_GOOG_RECAPTCHA_SITEKEY."'></div> </center>";
}
?>
</form>
</div>
</div>