234445 – Review Request: mod_auth_shadow - An Apache module for authentication using /etc/shadow

Bug 234445 - Review Request: mod_auth_shadow - An Apache module for authentication using /etc/shadow

Summary: Review Request: mod_auth_shadow - An Apache module for authentication using /...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	Package Review
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jochen Schmitt
QA Contact:	Fedora Package Reviews List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-03-29 11:24 UTC by David Anderson
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-04-03 06:51:37 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	jochen: fedora-review+ jwboyer: fedora-cvs+

Attachments	(Terms of Use)

Description David Anderson 2007-03-29 11:24:44 UTC

Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.1-1.src.rpm
Description: 

When performing this task one encounters one fundamental
difficulty: The /etc/shadow file is supposed to be
read/writeable only by root.  However, the webserver is
supposed to run under a non-root user, such as "nobody".

mod_auth_shadow addresses this difficulty by opening a pipe
to an suid root program, validate, which does the actual
validation.  When there is a failure, validate writes an
error message to the system log, and waits three seconds
before exiting.

Comment 1 Jochen Schmitt 2007-03-29 14:57:21 UTC

Good:
+ Rpmlint is quite on source rpm.
+ Local build works fine.
+ License seems ok
+ Naming semms ok

Bad:
+ Rpmlint complaints binary RPM.
rpmlint mod_auth_shadow-2.1-1.x86_64.rpm
E: mod_auth_shadow setuid-binary /usr/sbin/validate root 04755
E: mod_auth_shadow non-standard-executable-perm /usr/sbin/validate 04755
- Debuginfo RPM contains no sources
- Use a better source URL to sf.net (??)

Comment 2 David Anderson 2007-03-29 15:08:15 UTC

Thanks for the review. I believe everything's OK now. New versions with URLs 
as before.

Debuginfo RPM: Fixed (I shouldn't have stripped the binaries on installation).

rpmlint complains about the setuid root binary : this can be disregarded - 
it's meant to be a setuid binary, that's the design; you can't 
read /etc/shadow without it! (The non-standard permission is a permutation on 
this error: it's the setuid bit which is nonstandard).

Sourceforge URL... I can't see any problem with this. 
(http://downloads.sourceforge.net/mod-auth-shadow/%{name}-%{version}.tar.gz)

Comment 3 Jochen Schmitt 2007-04-01 18:28:41 UTC

Good:
+ Tar ball matches with upstream.
+ License ok.

Bad:
- Package contains no verbatin text of the license
  (Please contact upstream to include it in the next release)
- Debuginfo package contains no sources.

Please increase release number when upload a new release of your package.

Comment 4 David Anderson 2007-04-02 12:28:14 UTC

New versions, which I believe satisfy both mentioned requirements:

Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.1-2.src.rpm

I've included a copy of the GPL to satisfy the GPL's own requirements, and 
I've contacted upstream to ask them to include it themselves in future 
releases.

The debuginfo was a mistake - somehow I'd not updated the uploaded src.rpm 
which had fixed this. I've bumped the version to make sure that doesn't happen 
this time.

Comment 5 manuel wolfshant 2007-04-02 12:34:21 UTC

David, you should not include the license by yourself. Please see
http://fedoraproject.org/wiki/Packaging/ReviewGuidelines, under MUST:

- MUST: If (and only if) the source package includes the text of the license(s)
in its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.

Comment 6 David Anderson 2007-04-02 12:43:11 UTC

Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.1-3.src.rpm

Thanks wolfshant. New versions.

I disagree with those guidelines, as the GPL itself requires that the GPL be 
included in the distribution. It seems to me that Fedora can't redistribute 
without fulfilling those terms. Upstream isn't bound by those terms as it's 
the copyright holder, but we are, so we ought to include a copy of the GPL.

So I think Tom Callaway has got that wrong. But, I don't make the rules, so 
the new SRPM I've uploaded does it the suggested way... I assume that Fedora 
legal knows what it's doing.

Comment 7 Jochen Schmitt 2007-04-02 15:28:36 UTC

God:
+ Naming semms ok
+ License ok.
+ Local build works ok.
+ Binary package ok.
+ Debuginfo package ok.
+ Mock build works fine.
+ Local install and uninstall works fine.
+ Start of httpd with installed package works fine.

Bad:
- Package conains no verbatin copy of the license
  (Please contact upstream for including it in the next release)

Comment 8 David Anderson 2007-04-02 15:37:26 UTC

New Package CVS Request
=======================
Package Name: mod_auth_shadow
Short Description: An Apache module for authentication using /etc/shadow
Owners: fedora-packaging.uk
Branches: FC-5 FC-6 EL-4 EL-5
InitialCC:

Comment 9 David Anderson 2007-04-02 16:48:50 UTC

Upstream has released a new release which includes the license file:

Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.2-1.src.rpm

Comment 10 David Anderson 2007-04-03 06:51:37 UTC

OK, in CVS and built for devel now. Thanks to everyone who helped.

Note You need to log in before you can comment on or make changes to this bug.