Bug 430206 - rpmlint complains about ldap gid/uid
Summary: rpmlint complains about ldap gid/uid
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpmlint
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Ville Skyttä
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-25 09:13 UTC by Jan Safranek
Modified: 2008-06-26 08:30 UTC (History)
2 users (show)

Fixed In Version: 0.83-1.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-26 08:29:55 UTC
Type: ---


Attachments (Terms of Use)

Description Jan Safranek 2008-01-25 09:13:49 UTC
Description of problem:
openldap package places files to /etc and /var, which are owned by ldap group
and user. In addition, some of the files are not readable by everybody (they can
contain passwords). Rpmlint is not comfortable with that:

> openldap-servers.i386: E: non-standard-gid /etc/openldap/slapd.conf ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
> 
> openldap-servers.i386: E: non-readable /etc/openldap/slapd.conf 0640
> The file can't be read by everybody. If this is expected (for security
> reasons), contact your rpmlint distributor to get it added to the list of
> exceptions for your distro (or add it to your local configuration if you
> installed rpmlint from the source tarball).
>
> openldap-servers.i386: E: non-standard-uid /var/lib/ldap ldap
> A file in this package is owned by a non standard user.
> Standard users are:
> root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp,
> operator, games, gopher, ftp, nobody
> 
> openldap-servers.i386: E: non-standard-gid /var/lib/ldap ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
> 
> openldap-servers.i386: E: non-standard-uid /var/run/openldap ldap
> A file in this package is owned by a non standard user.
> Standard users are:
> root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp,
> operator, games, gopher, ftp, nobody
> 
> openldap-servers.i386: E: non-standard-gid /var/run/openldap ldap
> A file in this package is owned by a non standard group.
> Standard groups are:
> root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
> news, uucp, man, games, gopher, dip, ftp, lock, nobody, users

Version-Release number of selected component (if applicable):
rpmlint-0.82-2.fc8.noarch

I'd like to ask you to add these exceptions to rpmlint.

Comment 1 Ville Skyttä 2008-01-25 20:00:44 UTC
The current rpmlint policy is to treat only users and groups that are in the
"setup" package as standard ones.  There are lots of users and groups already
created by packages that rpmlint doesn't know about and new ones are introduced
all the time, so I don't think trying to keep up with them in rpmlint is an
achievable goal; hence I'm inclined to not add an exception for "ldap".

I do however think that this check should be downgraded into a warning.  Even
though it is usually mostly a noise maker but on the other hand it can catch
serious packaging (security) issues every now and then so I'd rather not filter
it out.

(It'd be good if rpmlint could see if a package creates a user/group and shut up
if that package uses those for file ownership, but I don't think that's sanely
achievable either.)

Thoughts?

Comment 2 Jan Safranek 2008-01-28 09:04:17 UTC
I agree that lowering the severity from error to warning would be appropriate.
And I would also change the message from "contact your rpmlint distributor to
get it added to the list" to something suggesting self check instead and
pointing to appropriate config. option to add users/groups to shut it up.

Comment 3 Ville Skyttä 2008-05-27 16:21:40 UTC
Downgraded to warning in upcoming rpmlint 0.83.

Comment 4 Fedora Update System 2008-06-09 18:32:56 UTC
rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9

Comment 5 Fedora Update System 2008-06-09 18:35:13 UTC
rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8

Comment 6 Fedora Update System 2008-06-11 04:34:31 UTC
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpmlint'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185

Comment 7 Fedora Update System 2008-06-26 08:29:41 UTC
rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-06-26 08:30:48 UTC
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.