Bug 353931 - Review Request: xguest - kiosk user setup program
Summary: Review Request: xguest - kiosk user setup program
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-10-26 12:13 UTC by Daniel Walsh
Modified: 2008-09-23 03:30 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2008-09-23 03:30:47 UTC
tmraz: fedora-review+
tcallawa: fedora-cvs+

Attachments (Terms of Use)

Description Daniel Walsh 2007-10-26 12:13:52 UTC
Spec URL: http://people.fedoraproject.org/~dwalsh/xguest/xguest.spec
SRPM URL: ttp://people.fedoraproject.org/~dwalsh/xguest/xguest-1.0.2-1.fc8.src.rpm
Description: xguest is a package that sets up a locked down user for use in
kiosk systems.  The user will be controlled so that all they can use is Firefox
for reaching the internet.

Comment 1 Daniel Walsh 2007-10-26 12:17:30 UTC
SRPM URL: http://people.fedoraproject.org/~dwalsh/xguest/xguest-1.0.2-1.fc8.src.rpm

First off I would like to get this review as fast as possible, to get inclusion
in Fedora 8.  Maybe I am too late already.

The spec file does a couple of things that cause rpmlint to give errors.  These
are discussed at:


This package could be used in conjunction with Fast User Switching to allow
users to share the machines with others with little risk, as well as in kiosk

Comment 2 Parag AN(पराग) 2007-10-26 13:46:32 UTC
good to add license file as %doc
whats use of calling "exit 0" at end of each section?

Comment 3 Daniel Walsh 2007-10-26 14:52:22 UTC
Added and removed exit 0's

SRPM URL: http://people.fedoraproject.org/~dwalsh/xguest/xguest-1.0.3-1.fc8.src.rpm

Comment 4 manuel wolfshant 2007-10-27 00:02:46 UTC
Maybe I am just picky, but I am very much against creating files in %post. I
feel that %source1 sepermit.conf, with the appropriate content, copied in %post
to the right place would be cleaner and easier to manage/verify via rpm -qV

Comment 5 Daniel Walsh 2007-10-27 11:16:36 UTC
There are no files being created in post.  sepermit.conf is owned by pam and
xguest is just appending "xguest" to the file.

Comment 6 Daniel Walsh 2007-11-20 11:26:04 UTC
So what is the state of this? 

How do we move forward?

Comment 7 Tomas Mraz 2007-12-17 21:50:22 UTC
rpmlint -v ../SRPMS/xguest-1.0.5-2.fc8.src.rpm xguest.src: I: checking

rpmlint -v ../RPMS/noarch/xguest-1.0.5-2.fc9.noarch.rpm 
xguest.noarch: I: checking
xguest.noarch: E: use-tmp-in-%post
xguest.noarch: E: use-of-home-in-%post
These two aren't actually a use of it but adding the namespace configuration to
namespace.conf. As soon as pam_namespace will support config files in
namespace.d this should be changed. Perhaps you should save a backup of the
existing namespace.conf so it will be possible to restore it after the future
change. Of course the backup should be owned by the package as %ghost.

xguest.noarch: E: preun-without-chkconfig /etc/rc.d/init.d/xguest
That's a real error and it should be fixed. chkconfig --del should be run for

xguest.noarch: W: service-default-enabled /etc/rc.d/init.d/xguest
xguest.noarch: E: no-status-entry /etc/rc.d/init.d/xguest
xguest.noarch: W: no-reload-entry /etc/rc.d/init.d/xguest
I think these are OK. Status and reload entries do not make much sense as xguest
is not a daemon but script containing just some bind mounts. Whether it should
be enabled by default or not is debatable but as the %post script creates the
xguest user account I think that enabling the polyinstantiation to work for him
without further admins actions (except reboot or start of the script for the
first time) is fine.

xguest.noarch: W: uncompressed-zip /etc/desktop-profiles/xguest.zip
That's OK as it is only 177kB anyway.

Comment about the wording of Summary and Description:
It should be describing what the package does so IMO it should be more like:
Summary: Creates xguest user as a locked down user
Installing this package sets up the xguest user to be used as a temporary
account to switch to or as a kiosk user account. The account is disabled unless
SELinux is in enforcing mode. The user is only allowed to log in via gdm.
The home and temporary directories of the user will be polyinstantiated and
mounted on tmpfs.

More notes:
The URL: http://people.fedoraproject.org/~dwalsh/xguest/%{name}-%{version}.tar.bz2
points to nonexistent file.
There is no %defattr(...) on the beginning of %files.

Comment 8 Daniel Walsh 2007-12-17 22:36:16 UTC

Has been updated with all your suggested fixes.

Comment 9 Tomas Mraz 2007-12-18 08:43:36 UTC
rpmlint -v ../SRPMS/xguest-1.0.6-1.fc8.src.rpm 
xguest.src: I: checking

rpmlint -v ../RPMS/noarch/xguest-1.0.6-1.fc8.noarch.rpm 
xguest.noarch: I: checking
xguest.noarch: E: use-tmp-in-%post
xguest.noarch: E: use-of-home-in-%post
xguest.noarch: W: service-default-enabled /etc/rc.d/init.d/xguest
xguest.noarch: W: no-reload-entry /etc/rc.d/init.d/xguest
xguest.noarch: W: uncompressed-zip /etc/desktop-profiles/xguest.zip
All these warnings and errors are OK as I wrote in comment #7.

The suggested fixes were applied.

Package is ACCEPTed.

Comment 10 Tomas Mraz 2007-12-18 08:56:49 UTC
One more suggestion - when the namespace.conf file is modified I'd suggest to add
a comment line before and after the xguest configuration so it will be easy to
remove it as soon as the configuration is moved to an extra file in the future
namespace.d. And in the %preun you can already remove these lines between the
comment lines.

Comment 11 Daniel Walsh 2007-12-18 18:26:21 UTC

Has been updated with all your suggested fixes.

Spec file now deletes the namespace.conf entry on removal.

Comment 12 Tom "spot" Callaway 2007-12-19 20:38:20 UTC
Dan, the CVS process is here:


Please append a New Package CVS Request to this ticket and flip the flag back to ?.

Comment 13 Daniel Walsh 2007-12-20 18:49:35 UTC
New Package CVS Request
Package Name: dwalsh
Short Description: SELinux Kiosk User account setup program
Owners: dwalsh@redhat.com
Branches: F-8 Rawhide
InitialCC: sgrubb@redhat.com
Cvsextras Commits: Yes

Comment 14 Daniel Walsh 2007-12-20 18:51:16 UTC
New Package CVS Request
Package Name: dwalsh
Short Description: SELinux Kiosk User account setup program
Owners: dwalsh
Branches: F-8 Rawhide
InitialCC: sgrubb
Cvsextras Commits: No

Comment 15 Tom "spot" Callaway 2007-12-20 19:05:31 UTC
Umm, Dan? Is the package name really dwalsh?

I almost committed that to cvs. :)

Also, you don't need to list Rawhide as a branch, you always get that one.

cvs is done.

Comment 16 Daniel Walsh 2007-12-21 07:52:29 UTC
Package Name: xguest

Comment 17 Matt Domsch 2008-09-23 03:30:47 UTC
package is in the repos now, closing.

Note You need to log in before you can comment on or make changes to this bug.