Bug 430206

Summary:	rpmlint complains about ldap gid/uid
Product:	[Fedora] Fedora	Reporter:	Jan Safranek <jsafrane>
Component:	rpmlint	Assignee:	Ville Skyttä <ville.skytta>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	8	CC:	manuel.wolfshant, tmz
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	0.83-1.fc9	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-06-26 08:29:55 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Safranek 2008-01-25 09:13:49 UTC

Description of problem:
openldap package places files to /etc and /var, which are owned by ldap group
and user. In addition, some of the files are not readable by everybody (they can
contain passwords). Rpmlint is not comfortable with that:

> openldap-servers.i386: E: non-standard-gid /etc/openldap/slapd.conf ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
> 
> openldap-servers.i386: E: non-readable /etc/openldap/slapd.conf 0640
> The file can't be read by everybody. If this is expected (for security
> reasons), contact your rpmlint distributor to get it added to the list of
> exceptions for your distro (or add it to your local configuration if you
> installed rpmlint from the source tarball).
>
> openldap-servers.i386: E: non-standard-uid /var/lib/ldap ldap
> A file in this package is owned by a non standard user.
> Standard users are:
> root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp,
> operator, games, gopher, ftp, nobody
> 
> openldap-servers.i386: E: non-standard-gid /var/lib/ldap ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
> 
> openldap-servers.i386: E: non-standard-uid /var/run/openldap ldap
> A file in this package is owned by a non standard user.
> Standard users are:
> root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp,
> operator, games, gopher, ftp, nobody
> 
> openldap-servers.i386: E: non-standard-gid /var/run/openldap ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users

Version-Release number of selected component (if applicable):
rpmlint-0.82-2.fc8.noarch

I'd like to ask you to add these exceptions to rpmlint.

Comment 1 Ville Skyttä 2008-01-25 20:00:44 UTC

The current rpmlint policy is to treat only users and groups that are in the
"setup" package as standard ones.  There are lots of users and groups already
created by packages that rpmlint doesn't know about and new ones are introduced
all the time, so I don't think trying to keep up with them in rpmlint is an
achievable goal; hence I'm inclined to not add an exception for "ldap".

I do however think that this check should be downgraded into a warning.  Even
though it is usually mostly a noise maker but on the other hand it can catch
serious packaging (security) issues every now and then so I'd rather not filter
it out.

(It'd be good if rpmlint could see if a package creates a user/group and shut up
if that package uses those for file ownership, but I don't think that's sanely
achievable either.)

Thoughts?

Comment 2 Jan Safranek 2008-01-28 09:04:17 UTC

I agree that lowering the severity from error to warning would be appropriate.
And I would also change the message from "contact your rpmlint distributor to
get it added to the list" to something suggesting self check instead and
pointing to appropriate config. option to add users/groups to shut it up.

Comment 3 Ville Skyttä 2008-05-27 16:21:40 UTC

Downgraded to warning in upcoming rpmlint 0.83.

Comment 4 Fedora Update System 2008-06-09 18:32:56 UTC

rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9

Comment 5 Fedora Update System 2008-06-09 18:35:13 UTC

rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8

Comment 6 Fedora Update System 2008-06-11 04:34:31 UTC

rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpmlint'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185

Comment 7 Fedora Update System 2008-06-26 08:29:41 UTC

rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-06-26 08:30:48 UTC

rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.