Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 234445

Summary: Review Request: mod_auth_shadow - An Apache module for authentication using /etc/shadow
Product: [Fedora] Fedora Reporter: David Anderson <fedora-packaging>
Component: Package ReviewAssignee: Jochen Schmitt <jochen>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Package Reviews List <fedora-package-review>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideFlags: jochen: fedora-review+
jwboyer: fedora-cvs+
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-03 06:51:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Anderson 2007-03-29 11:24:44 UTC
Spec URL:

When performing this task one encounters one fundamental
difficulty: The /etc/shadow file is supposed to be
read/writeable only by root.  However, the webserver is
supposed to run under a non-root user, such as "nobody".

mod_auth_shadow addresses this difficulty by opening a pipe
to an suid root program, validate, which does the actual
validation.  When there is a failure, validate writes an
error message to the system log, and waits three seconds
before exiting.

Comment 1 Jochen Schmitt 2007-03-29 14:57:21 UTC
+ Rpmlint is quite on source rpm.
+ Local build works fine.
+ License seems ok
+ Naming semms ok

+ Rpmlint complaints binary RPM.
rpmlint mod_auth_shadow-2.1-1.x86_64.rpm
E: mod_auth_shadow setuid-binary /usr/sbin/validate root 04755
E: mod_auth_shadow non-standard-executable-perm /usr/sbin/validate 04755
- Debuginfo RPM contains no sources
- Use a better source URL to (??)

Comment 2 David Anderson 2007-03-29 15:08:15 UTC
Thanks for the review. I believe everything's OK now. New versions with URLs 
as before.

Debuginfo RPM: Fixed (I shouldn't have stripped the binaries on installation).

rpmlint complains about the setuid root binary : this can be disregarded - 
it's meant to be a setuid binary, that's the design; you can't 
read /etc/shadow without it! (The non-standard permission is a permutation on 
this error: it's the setuid bit which is nonstandard).

Sourceforge URL... I can't see any problem with this. 

Comment 3 Jochen Schmitt 2007-04-01 18:28:41 UTC
+ Tar ball matches with upstream.
+ License ok.

- Package contains no verbatin text of the license
  (Please contact upstream to include it in the next release)
- Debuginfo package contains no sources.

Please increase release number when upload a new release of your package.

Comment 4 David Anderson 2007-04-02 12:28:14 UTC
New versions, which I believe satisfy both mentioned requirements:

Spec URL:

I've included a copy of the GPL to satisfy the GPL's own requirements, and 
I've contacted upstream to ask them to include it themselves in future 

The debuginfo was a mistake - somehow I'd not updated the uploaded src.rpm 
which had fixed this. I've bumped the version to make sure that doesn't happen 
this time.

Comment 5 manuel wolfshant 2007-04-02 12:34:21 UTC
David, you should not include the license by yourself. Please see, under MUST:

- MUST: If (and only if) the source package includes the text of the license(s)
in its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.

Comment 6 David Anderson 2007-04-02 12:43:11 UTC
Spec URL:

Thanks wolfshant. New versions.

I disagree with those guidelines, as the GPL itself requires that the GPL be 
included in the distribution. It seems to me that Fedora can't redistribute 
without fulfilling those terms. Upstream isn't bound by those terms as it's 
the copyright holder, but we are, so we ought to include a copy of the GPL.

So I think Tom Callaway has got that wrong. But, I don't make the rules, so 
the new SRPM I've uploaded does it the suggested way... I assume that Fedora 
legal knows what it's doing.

Comment 7 Jochen Schmitt 2007-04-02 15:28:36 UTC
+ Naming semms ok
+ License ok.
+ Local build works ok.
+ Binary package ok.
+ Debuginfo package ok.
+ Mock build works fine.
+ Local install and uninstall works fine.
+ Start of httpd with installed package works fine.

- Package conains no verbatin copy of the license
  (Please contact upstream for including it in the next release)

Comment 8 David Anderson 2007-04-02 15:37:26 UTC
New Package CVS Request
Package Name: mod_auth_shadow
Short Description: An Apache module for authentication using /etc/shadow
Branches: FC-5 FC-6 EL-4 EL-5

Comment 9 David Anderson 2007-04-02 16:48:50 UTC
Upstream has released a new release which includes the license file:

Spec URL:

Comment 10 David Anderson 2007-04-03 06:51:37 UTC
OK, in CVS and built for devel now. Thanks to everyone who helped.