[Bug 456182] Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp

bugzilla at redhat.com bugzilla at redhat.com
Thu Jul 24 03:44:14 UTC 2008 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: rssh -  Restricted shell for use with OpenSSH, allowing only scp and/or sftp


https://bugzilla.redhat.com/show_bug.cgi?id=456182





------- Additional Comments From debarshi.ray at gmail.com  2008-07-23 23:44 EST -------
MUST Items: 

xx - rpmlint is unclean on RPM (can be ignored)
    + [rishi at ginger x86_64]$ rpmlint rssh-2.3.2-1.fc8.x86_64.rpm
      rssh.x86_64: E: setuid-binary /usr/libexec/rssh_chroot_helper root 04755
      rssh.x86_64: E: non-standard-executable-perm
/usr/libexec/rssh_chroot_helper 04755
      [rishi at ginger x86_64]$ 

OK - follows Naming Guidelines
OK - spec file is named as %{name}.spec

OK - package does not meet Packaging Guidelines
    + To preserve timestamps you could consider using:
      make install INSTALL="%{__install} -p" DESTDIR=$RPM_BUILD_ROOT
    + https://fedoraproject.org/wiki/Packaging/Guidelines#Libexecdir suggests
that files be put into package-specific subdirectories. Can this be done?

OK - license meets Licensing Guidelines
OK - License field meets actual license
OK - upstream license file included in %doc
OK - spec file uses American English
OK - spec file is legible
OK - sources match upstream sources
OK - package builds successfully
OK - ExcludeArch not needed

OK - build dependencies correctly listed
    + It might be a good idea to add cvs, rdist and rsync to BuildRequires,
because the configure script hard-codes their path to /usr/bin/cvs,
/usr/bin/rdist, and /usr/bin/rsync, when they are absent.

OK - no locales
OK - no shared libraries
OK - package is not relocatable
OK - file and directory ownership
OK - no duplicates in %file

xx - file permissions set properly
    + The preferred attribute definition is: %defattr(-,root,root,-). If you use
it, the  %attr(755, root, root) and %attr(4755, root, root) become redundant.
Since the example scripts will be retaining their executable bits, they can be
turned off somewhere in the spec (maybe the %setup stanza).
    + The rssh(1) manual says:
      Additionally,  create  a group, for example "rsshuser", for rssh users.
      Put all your users who will be restricted by rssh in that  group.   Set
      the  ownership  and  permissions on rssh and rssh_chroot_helper so that
      only those users can  execute  them.   The  following  commands  should
      illustrate:
      # groupadd rsshuser
      # chown root:rsshuser rssh rssh_chroot_helper
      # chmod 550 rssh
      # chmod 4550 rssh_chroot_helper
      Fedora's packaging guidelines for users and groups
(https://fedoraproject.org/wiki/Packaging/UsersAndGroups) might then come into
the picture.

OK - %clean present

OK - macros used consistently
OK - contains code and permissable content
OK - -doc is not needed
OK - contents of %doc does not affect the runtime
OK - no header files
OK - no static libraries
OK - no pkgconfig files
OK - no library files
OK - -devel is not needed
OK - no libtool archives
OK - %{name}.desktop file not needed
OK - does not own files or directories owned by other packages
OK - buildroot correctly prepped
OK - all file names valid UTF-8

SHOULD Items:

OK - upstream provides license text
xx - no translations for description and summary
OK - package builds in mock successfully
OK - package builds on all supported architectures
OK - package functions as expected
OK - scriptlets are sane
OK - subpackages are not needed
OK - no pkgconfig files
OK - no file dependencies

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the Fedora-package-review mailing list