Bug 234445 - Review Request: mod_auth_shadow - An Apache module for authentication using /etc/shadow
Review Request: mod_auth_shadow - An Apache module for authentication using /...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jochen Schmitt
Fedora Package Reviews List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-29 07:24 EDT by David Anderson
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-03 02:51:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jochen: fedora‑review+
jwboyer: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description David Anderson 2007-03-29 07:24:44 EDT
Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.1-1.src.rpm
Description: 

When performing this task one encounters one fundamental
difficulty: The /etc/shadow file is supposed to be
read/writeable only by root.  However, the webserver is
supposed to run under a non-root user, such as "nobody".

mod_auth_shadow addresses this difficulty by opening a pipe
to an suid root program, validate, which does the actual
validation.  When there is a failure, validate writes an
error message to the system log, and waits three seconds
before exiting.
Comment 1 Jochen Schmitt 2007-03-29 10:57:21 EDT
Good:
+ Rpmlint is quite on source rpm.
+ Local build works fine.
+ License seems ok
+ Naming semms ok

Bad:
+ Rpmlint complaints binary RPM.
rpmlint mod_auth_shadow-2.1-1.x86_64.rpm
E: mod_auth_shadow setuid-binary /usr/sbin/validate root 04755
E: mod_auth_shadow non-standard-executable-perm /usr/sbin/validate 04755
- Debuginfo RPM contains no sources
- Use a better source URL to sf.net (??)

Comment 2 David Anderson 2007-03-29 11:08:15 EDT
Thanks for the review. I believe everything's OK now. New versions with URLs 
as before.

Debuginfo RPM: Fixed (I shouldn't have stripped the binaries on installation).

rpmlint complains about the setuid root binary : this can be disregarded - 
it's meant to be a setuid binary, that's the design; you can't 
read /etc/shadow without it! (The non-standard permission is a permutation on 
this error: it's the setuid bit which is nonstandard).

Sourceforge URL... I can't see any problem with this. 
(http://downloads.sourceforge.net/mod-auth-shadow/%{name}-%{version}.tar.gz)
Comment 3 Jochen Schmitt 2007-04-01 14:28:41 EDT
Good:
+ Tar ball matches with upstream.
+ License ok.

Bad:
- Package contains no verbatin text of the license
  (Please contact upstream to include it in the next release)
- Debuginfo package contains no sources.

Please increase release number when upload a new release of your package.
Comment 4 David Anderson 2007-04-02 08:28:14 EDT
New versions, which I believe satisfy both mentioned requirements:

Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.1-2.src.rpm

I've included a copy of the GPL to satisfy the GPL's own requirements, and 
I've contacted upstream to ask them to include it themselves in future 
releases.

The debuginfo was a mistake - somehow I'd not updated the uploaded src.rpm 
which had fixed this. I've bumped the version to make sure that doesn't happen 
this time.
Comment 5 manuel wolfshant 2007-04-02 08:34:21 EDT
David, you should not include the license by yourself. Please see
http://fedoraproject.org/wiki/Packaging/ReviewGuidelines, under MUST:

- MUST: If (and only if) the source package includes the text of the license(s)
in its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.
Comment 6 David Anderson 2007-04-02 08:43:11 EDT
Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.1-3.src.rpm

Thanks wolfshant. New versions.

I disagree with those guidelines, as the GPL itself requires that the GPL be 
included in the distribution. It seems to me that Fedora can't redistribute 
without fulfilling those terms. Upstream isn't bound by those terms as it's 
the copyright holder, but we are, so we ought to include a copy of the GPL.

So I think Tom Callaway has got that wrong. But, I don't make the rules, so 
the new SRPM I've uploaded does it the suggested way... I assume that Fedora 
legal knows what it's doing.
Comment 7 Jochen Schmitt 2007-04-02 11:28:36 EDT
God:
+ Naming semms ok
+ License ok.
+ Local build works ok.
+ Binary package ok.
+ Debuginfo package ok.
+ Mock build works fine.
+ Local install and uninstall works fine.
+ Start of httpd with installed package works fine.

Bad:
- Package conains no verbatin copy of the license
  (Please contact upstream for including it in the next release)

Comment 8 David Anderson 2007-04-02 11:37:26 EDT
New Package CVS Request
=======================
Package Name: mod_auth_shadow
Short Description: An Apache module for authentication using /etc/shadow
Owners: fedora-packaging@dw-perspective.org.uk
Branches: FC-5 FC-6 EL-4 EL-5
InitialCC: 
Comment 9 David Anderson 2007-04-02 12:48:50 EDT
Upstream has released a new release which includes the license file:

Spec URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow.spec
SRPM URL: http://david.dw-perspective.org.uk/tmp/mod_auth_shadow-2.2-1.src.rpm
Comment 10 David Anderson 2007-04-03 02:51:37 EDT
OK, in CVS and built for devel now. Thanks to everyone who helped.

Note You need to log in before you can comment on or make changes to this bug.