[Bug 555121] Review Request - nss-pam-ldapd (formerly nss-ldapd)

bugzilla at redhat.com bugzilla at redhat.com
Thu Feb 25 20:50:46 UTC 2010 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=555121

Nalin Dahyabhai <nalin at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Nalin Dahyabhai <nalin at redhat.com> 2010-02-25 15:50:42 EST ---
(In reply to comment #1)
> Found the following rpmlint errors:
> 
> % rpmlint -iv ../RPMS/x86_64/nss-pam-ldapd-0.7.2-1.fc12.x86_64.rpm 
> nss-pam-ldapd.x86_64: I: checking
> nss-pam-ldapd.x86_64: W: non-standard-uid /var/run/nslcd nslcd
> A file in this package is owned by a non standard user. Standard users are:
> root, bin, daemon, adm, lp, mail, news, uucp, gopher, ftp, oprofile, pkiuser,
> squid, pvm, named, postgres, mysql, nscd, rpcuser, rpc, netdump, vdsm, rpm,
> ntp, mailman, gdm, xfs, mailnull, apache, wnn, smmsp, puppet, tomcat, ldap,
> frontpage, nut, beagleindex, tss, piranha, prelude-manager, snortd, condor,
> pegasus, webalizer, haldaemon, vcsa, avahi, tcpdump, privoxy, sshd, radvd,
> arpwatch, fax, nocpulse, desktop, dbus, jonas, clamav, sabayon, polkituser,
> postfix, majordomo, quagga, exim, distcache, radiusd, hsqldb, dovecot, ident,
> nobody, qemu, ovirt, saned, nfsnobody.

This appears to be a bug in how rpmlint parses the list of standard UIDs, filed
#568498 to get it fixed.

> nss-pam-ldapd.x86_64: E: non-readable /etc/nslcd.conf 0600
> The file can't be read by everybody. If this is expected (for security
> reasons), contact your rpmlint distributor to get it added to the list of
> exceptions for your distro (or add it to your local configuration if you
> installed rpmlint from the source tarball).

If nslcd needs to have a secret such as a password to bind to the directory, it
goes in here, so it's not world-readable.  Filed bug #568499 to have that
allowed.

> nss-pam-ldapd.x86_64: W: devel-file-in-non-devel-package
> /usr/lib64/libnss_ldap.so
> A development file (usually source code) is located in a non-devel package. If
> you want to include source code in your package, be sure to create a
> development package.

The nsswitch interface doesn't come with header files, but glibc's modules
include a .so link so that people who know what to expect can link with them. 
If there were a -devel subpackage, this symlink would be the only thing in it,
so I don't think we should bother splitting it out.

> nss-pam-ldapd.x86_64: W: missing-lsb-keyword Required-Stop in
> /etc/rc.d/init.d/nslcd
> The package contains an init script that does not contain one of the LSB init
> script comment block convention keywords that are recommendable for all init
> scripts.  If there is nothing to add to a keyword's value, include the keyword
> in the script with an empty value.  Note that as of version 3.2, the LSB
> specification does not mandate presence of any keywords.

The result looks kind of silly to me, but okay, fixing.

> nss-pam-ldapd.x86_64: W: missing-lsb-keyword Default-Stop in
> /etc/rc.d/init.d/nslcd
> The package contains an init script that does not contain one of the LSB init
> script comment block convention keywords that are recommendable for all init
> scripts.  If there is nothing to add to a keyword's value, include the keyword
> in the script with an empty value.  Note that as of version 3.2, the LSB
> specification does not mandate presence of any keywords.

The result looks kind of silly to me, but okay, fixing.

> nss-pam-ldapd.x86_64: W: incoherent-subsys /etc/rc.d/init.d/nslcd $prog
> The filename of your lock file in /var/lock/subsys/ is incoherent with your
> actual init script name. For example, if your script name is httpd, you have
> to use 'httpd' as the filename in your subsys directory. It is also possible
> that rpmlint gets this wrong, especially if the init script contains
> nontrivial shell variables and/or assignments.  These cases usually manifest
> themselves when rpmlint reports that the subsys name starts a with '$'; in
> these cases a warning instead of an error is reported and you should check the
> script manually.
>
> nss-pam-ldapd.x86_64: W: incoherent-subsys /etc/rc.d/init.d/nslcd $prog
> The filename of your lock file in /var/lock/subsys/ is incoherent with your
> actual init script name. For example, if your script name is httpd, you have
> to use 'httpd' as the filename in your subsys directory. It is also possible
> that rpmlint gets this wrong, especially if the init script contains
> nontrivial shell variables and/or assignments.  These cases usually manifest
> themselves when rpmlint reports that the subsys name starts a with '$'; in
> these cases a warning instead of an error is reported and you should check the
> script manually.
> 
> nss-pam-ldapd.x86_64: W: incoherent-subsys /etc/rc.d/init.d/nslcd $prog
> The filename of your lock file in /var/lock/subsys/ is incoherent with your
> actual init script name. For example, if your script name is httpd, you have
> to use 'httpd' as the filename in your subsys directory. It is also possible
> that rpmlint gets this wrong, especially if the init script contains
> nontrivial shell variables and/or assignments.  These cases usually manifest
> themselves when rpmlint reports that the subsys name starts a with '$'; in
> these cases a warning instead of an error is reported and you should check the
> script manually.
> 
> nss-pam-ldapd.x86_64: W: incoherent-subsys /etc/rc.d/init.d/nslcd $prog
> The filename of your lock file in /var/lock/subsys/ is incoherent with your
> actual init script name. For example, if your script name is httpd, you have
> to use 'httpd' as the filename in your subsys directory. It is also possible
> that rpmlint gets this wrong, especially if the init script contains
> nontrivial shell variables and/or assignments.  These cases usually manifest
> themselves when rpmlint reports that the subsys name starts a with '$'; in
> these cases a warning instead of an error is reported and you should check the
> script manually.
> 
> nss-pam-ldapd.x86_64: W: incoherent-subsys /etc/rc.d/init.d/nslcd $prog
> The filename of your lock file in /var/lock/subsys/ is incoherent with your
> actual init script name. For example, if your script name is httpd, you have
> to use 'httpd' as the filename in your subsys directory. It is also possible
> that rpmlint gets this wrong, especially if the init script contains
> nontrivial shell variables and/or assignments.  These cases usually manifest
> themselves when rpmlint reports that the subsys name starts a with '$'; in
> these cases a warning instead of an error is reported and you should check the
> script manually.

$prog is "nslcd", and constructions which feature it instead of a specific name
are already translated by the initscripts package, so this should be okay.

> nss-pam-ldapd.x86_64: W: incoherent-init-script-name nslcd ('nss-pam-ldapd',
> 'nss-pam-ldapdd')
> The init script name should be the same as the package name in lower case, or
> one with 'd' appended if it invokes a process by that name.
> 
> 1 packages and 0 specfiles checked; 1 errors, 10 warnings.    

This would complicate the upgrade cases from when the package used to be named
nss-ldapd, I believe without much benefit.  The init script is named after the
daemon it starts and stops, which is what we do for daemons like httpd and
sshd.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list