Bug 430206 - rpmlint complains about ldap gid/uid
rpmlint complains about ldap gid/uid
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-25 04:13 EST by Jan Safranek
Modified: 2008-06-26 04:30 EDT (History)
2 users (show)

See Also:
Fixed In Version: 0.83-1.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-26 04:29:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Safranek 2008-01-25 04:13:49 EST
Description of problem:
openldap package places files to /etc and /var, which are owned by ldap group
and user. In addition, some of the files are not readable by everybody (they can
contain passwords). Rpmlint is not comfortable with that:

> openldap-servers.i386: E: non-standard-gid /etc/openldap/slapd.conf ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
> 
> openldap-servers.i386: E: non-readable /etc/openldap/slapd.conf 0640
> The file can't be read by everybody. If this is expected (for security
> reasons), contact your rpmlint distributor to get it added to the list of
> exceptions for your distro (or add it to your local configuration if you
> installed rpmlint from the source tarball).
>
> openldap-servers.i386: E: non-standard-uid /var/lib/ldap ldap
> A file in this package is owned by a non standard user.
> Standard users are:
> root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp,
> operator, games, gopher, ftp, nobody
> 
> openldap-servers.i386: E: non-standard-gid /var/lib/ldap ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
> 
> openldap-servers.i386: E: non-standard-uid /var/run/openldap ldap
> A file in this package is owned by a non standard user.
> Standard users are:
> root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp,
> operator, games, gopher, ftp, nobody
> 
> openldap-servers.i386: E: non-standard-gid /var/run/openldap ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users

Version-Release number of selected component (if applicable):
rpmlint-0.82-2.fc8.noarch

I'd like to ask you to add these exceptions to rpmlint.
Comment 1 Ville Skyttä 2008-01-25 15:00:44 EST
The current rpmlint policy is to treat only users and groups that are in the
"setup" package as standard ones.  There are lots of users and groups already
created by packages that rpmlint doesn't know about and new ones are introduced
all the time, so I don't think trying to keep up with them in rpmlint is an
achievable goal; hence I'm inclined to not add an exception for "ldap".

I do however think that this check should be downgraded into a warning.  Even
though it is usually mostly a noise maker but on the other hand it can catch
serious packaging (security) issues every now and then so I'd rather not filter
it out.

(It'd be good if rpmlint could see if a package creates a user/group and shut up
if that package uses those for file ownership, but I don't think that's sanely
achievable either.)

Thoughts?
Comment 2 Jan Safranek 2008-01-28 04:04:17 EST
I agree that lowering the severity from error to warning would be appropriate.
And I would also change the message from "contact your rpmlint distributor to
get it added to the list" to something suggesting self check instead and
pointing to appropriate config. option to add users/groups to shut it up.
Comment 3 Ville Skyttä 2008-05-27 12:21:40 EDT
Downgraded to warning in upcoming rpmlint 0.83.
Comment 4 Fedora Update System 2008-06-09 14:32:56 EDT
rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9
Comment 5 Fedora Update System 2008-06-09 14:35:13 EDT
rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8
Comment 6 Fedora Update System 2008-06-11 00:34:31 EDT
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpmlint'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185
Comment 7 Fedora Update System 2008-06-26 04:29:41 EDT
rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-06-26 04:30:48 EDT
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.