[Bug 456182] Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp
bugzilla at redhat.com
bugzilla at redhat.com
Thu Jul 24 03:44:14 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp
https://bugzilla.redhat.com/show_bug.cgi?id=456182
------- Additional Comments From debarshi.ray at gmail.com 2008-07-23 23:44 EST -------
MUST Items:
xx - rpmlint is unclean on RPM (can be ignored)
+ [rishi at ginger x86_64]$ rpmlint rssh-2.3.2-1.fc8.x86_64.rpm
rssh.x86_64: E: setuid-binary /usr/libexec/rssh_chroot_helper root 04755
rssh.x86_64: E: non-standard-executable-perm
/usr/libexec/rssh_chroot_helper 04755
[rishi at ginger x86_64]$
OK - follows Naming Guidelines
OK - spec file is named as %{name}.spec
OK - package does not meet Packaging Guidelines
+ To preserve timestamps you could consider using:
make install INSTALL="%{__install} -p" DESTDIR=$RPM_BUILD_ROOT
+ https://fedoraproject.org/wiki/Packaging/Guidelines#Libexecdir suggests
that files be put into package-specific subdirectories. Can this be done?
OK - license meets Licensing Guidelines
OK - License field meets actual license
OK - upstream license file included in %doc
OK - spec file uses American English
OK - spec file is legible
OK - sources match upstream sources
OK - package builds successfully
OK - ExcludeArch not needed
OK - build dependencies correctly listed
+ It might be a good idea to add cvs, rdist and rsync to BuildRequires,
because the configure script hard-codes their path to /usr/bin/cvs,
/usr/bin/rdist, and /usr/bin/rsync, when they are absent.
OK - no locales
OK - no shared libraries
OK - package is not relocatable
OK - file and directory ownership
OK - no duplicates in %file
xx - file permissions set properly
+ The preferred attribute definition is: %defattr(-,root,root,-). If you use
it, the %attr(755, root, root) and %attr(4755, root, root) become redundant.
Since the example scripts will be retaining their executable bits, they can be
turned off somewhere in the spec (maybe the %setup stanza).
+ The rssh(1) manual says:
Additionally, create a group, for example "rsshuser", for rssh users.
Put all your users who will be restricted by rssh in that group. Set
the ownership and permissions on rssh and rssh_chroot_helper so that
only those users can execute them. The following commands should
illustrate:
# groupadd rsshuser
# chown root:rsshuser rssh rssh_chroot_helper
# chmod 550 rssh
# chmod 4550 rssh_chroot_helper
Fedora's packaging guidelines for users and groups
(https://fedoraproject.org/wiki/Packaging/UsersAndGroups) might then come into
the picture.
OK - %clean present
OK - macros used consistently
OK - contains code and permissable content
OK - -doc is not needed
OK - contents of %doc does not affect the runtime
OK - no header files
OK - no static libraries
OK - no pkgconfig files
OK - no library files
OK - -devel is not needed
OK - no libtool archives
OK - %{name}.desktop file not needed
OK - does not own files or directories owned by other packages
OK - buildroot correctly prepped
OK - all file names valid UTF-8
SHOULD Items:
OK - upstream provides license text
xx - no translations for description and summary
OK - package builds in mock successfully
OK - package builds on all supported architectures
OK - package functions as expected
OK - scriptlets are sane
OK - subpackages are not needed
OK - no pkgconfig files
OK - no file dependencies
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Fedora-package-review
mailing list