[Bug 456182] Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp
bugzilla at redhat.com
bugzilla at redhat.com
Sun Aug 10 17:12:47 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=456182
--- Comment #7 from Debarshi Ray <debarshi.ray at gmail.com> 2008-08-10 13:12:45 EDT ---
Created an attachment (id=313897)
--> (https://bugzilla.redhat.com/attachment.cgi?id=313897)
Patch to incorporate Spec file fixes.
(In reply to comment #6)
> http://sundaram.fedorapeople.org/packages/rssh.spec
> http://sundaram.fedorapeople.org/packages/rssh-2.3.2-3.fc10.src.rpm
+ The example scripts provided as documentation should not have their
executable bits set.
+ https://fedoraproject.org/wiki/Packaging/Guidelines#Libexecdir suggests that
files be put into package-specific subdirectories. Can this be done?
+ The %pre scriptlet does not follow the guidelines for users and groups
(https://fedoraproject.org/wiki/Packaging/UsersAndGroups).
You need to add 'Requires(pre): shadow-utils' and the scriptlet needs to end
with an 'exit 0'. I think '|| :' also has the same effect as 'exit 0', but you
might want to be pedantic and be safe.
+ You have mistakenly put fish instead of rssh in the Spec comments.
+ You might want to split the %doc in multiple lines to achieve the 72/80
character rule. But it is a matter of style and upto you.
+ As I had mentioned earlier, the rssh(1) manual recommends:
# chown root:rsshuser rssh rssh_chroot_helper
# chmod 550 rssh
# chmod 4550 rssh_chroot_helper
Please find attached a patch which incorporates these changes. I have
deliberately not bumped the release and added a %changelog. It is your package
update them as you deem fit.
These changes lead to the following rpmlint issues (which can be ignored):
$ rpmlint rssh
rssh.x86_64: E: non-standard-gid /usr/bin/rssh rsshusers
rssh.x86_64: E: non-readable /usr/bin/rssh 0750
rssh.x86_64: E: non-standard-executable-perm /usr/bin/rssh 0750
rssh.x86_64: E: non-standard-gid /usr/libexec/rssh_chroot_helper rsshusers
rssh.x86_64: E: setuid-binary /usr/libexec/rssh_chroot_helper root 04750
rssh.x86_64: E: non-standard-executable-perm
/usr/libexec/rssh_chroot_helper 04750
rssh.x86_64: E: non-standard-executable-perm
/usr/libexec/rssh_chroot_helper 04750
rssh.x86_64: E: no-binary
rssh.x86_64: W: dangerous-command-in-%postun mv
$
However using -i reveals some interesting avenues:
+ You might want to add /usr/bin/rssh to the list of files which are not
readable by everyone in Fedora.
rssh.x86_64: E: non-readable /usr/bin/rssh 0750
The file can't be read by everybody. If this is expected (for security
reasons), contact your rpmlint distributor to get it added to the list of
exceptions for your distro (or add it to your local configuration if you
installed rpmlint from the source tarball).
+ Can we have rssusers as a standard group in Fedora?
rssh.x86_64: E: non-standard-gid /usr/bin/rssh rsshusers
A file in this package is owned by a non standard group.
Standard groups are:
root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
rssh.x86_64: E: non-standard-gid /usr/libexec/rssh_chroot_helper rsshusers
A file in this package is owned by a non standard group.
Standard groups are:
root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail,
news, uucp, man, games, gopher, dip, ftp, lock, nobody, users
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-package-review
mailing list