Bug#264879: [Pkg-shadow-devel] Bug#264879: passwd: useradd allows invalid characters as username
Alexander Gattin
Alexander Gattin <arg@online.com.ua>, 264879@bugs.debian.org
Sat, 30 Apr 2005 01:34:00 +0300
retitle 264879 [POST-SARGE] [ALEXANDER] useradd: colon allowed in user/groupnames
thanks
Hi!
On Thu, Mar 31, 2005 at 12:40:34AM +0200, Nicolas François wrote:
> It's even worse: good_name does not return 0 on error. So no checking
> is performed.
Oops! I checked it and good_name really always returns 1.
So you can `useradd us:er:na:me`.
OK. My proposal remains the same: I'll just fix the
"relaxed good_name" patch and probably also disable
usage of '\n' char in user/groupnames.
> Currently, adduser uses a very restrictive regex ("^[a-z][-a-z0-9]*\$";
> which can be disabled with --force-badname) and useradd doesn't check
> anything.
That's done intentionally.
> useradd will still be much more permissive than adduser, but some
> reasonable checks will be performed.
...
> + /*
> + * ':' and '\n' will break /etc/passwd
> + * with '/' the home directory will be an issue
> + */
No, I think we should only guarantee /etc/passwd's &
co. integrity, not spoolfiles'/homedirs' (leave this to
adduser).
--
WBR,
xrgtn