Description of problem: openldap package places files to /etc and /var, which are owned by ldap group and user. In addition, some of the files are not readable by everybody (they can contain passwords). Rpmlint is not comfortable with that: > openldap-servers.i386: E: non-standard-gid /etc/openldap/slapd.conf ldap > A file in this package is owned by a non standard group. > Standard groups are: > root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail, > news, uucp, man, games, gopher, dip, ftp, lock, nobody, users > > openldap-servers.i386: E: non-readable /etc/openldap/slapd.conf 0640 > The file can't be read by everybody. If this is expected (for security > reasons), contact your rpmlint distributor to get it added to the list of > exceptions for your distro (or add it to your local configuration if you > installed rpmlint from the source tarball). > > openldap-servers.i386: E: non-standard-uid /var/lib/ldap ldap > A file in this package is owned by a non standard user. > Standard users are: > root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, > operator, games, gopher, ftp, nobody > > openldap-servers.i386: E: non-standard-gid /var/lib/ldap ldap > A file in this package is owned by a non standard group. > Standard groups are: > root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail, > news, uucp, man, games, gopher, dip, ftp, lock, nobody, users > > openldap-servers.i386: E: non-standard-uid /var/run/openldap ldap > A file in this package is owned by a non standard user. > Standard users are: > root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, > operator, games, gopher, ftp, nobody > > openldap-servers.i386: E: non-standard-gid /var/run/openldap ldap > A file in this package is owned by a non standard group. > Standard groups are: > root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail, > news, uucp, man, games, gopher, dip, ftp, lock, nobody, users Version-Release number of selected component (if applicable): rpmlint-0.82-2.fc8.noarch I'd like to ask you to add these exceptions to rpmlint.
The current rpmlint policy is to treat only users and groups that are in the "setup" package as standard ones. There are lots of users and groups already created by packages that rpmlint doesn't know about and new ones are introduced all the time, so I don't think trying to keep up with them in rpmlint is an achievable goal; hence I'm inclined to not add an exception for "ldap". I do however think that this check should be downgraded into a warning. Even though it is usually mostly a noise maker but on the other hand it can catch serious packaging (security) issues every now and then so I'd rather not filter it out. (It'd be good if rpmlint could see if a package creates a user/group and shut up if that package uses those for file ownership, but I don't think that's sanely achievable either.) Thoughts?
I agree that lowering the severity from error to warning would be appropriate. And I would also change the message from "contact your rpmlint distributor to get it added to the list" to something suggesting self check instead and pointing to appropriate config. option to add users/groups to shut it up.
Downgraded to warning in upcoming rpmlint 0.83.
rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9
rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update rpmlint'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185
rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.