[Pkg-shadow-devel] Bug#400683: passwd: useradd creates users with spaces in usernames

Paul Visscher paulv at canonical.org
Mon Nov 27 23:38:28 UTC 2006 

Package: passwd
Version: 1:4.0.3-31sarge9
Severity: important
Tags: patch

(Despite the similarity in domain name, I am not in any way affiliated
with Ubuntu or Canonical Ltd.)

useradd allows users to be created with spaces in their usernames.
Worse, all the utilities to delete users can't delete users with spaces
in their usernames. I don't think spaces should be valid in usernames,
so below is a patch that mostly fixes the problem. " foo" and "foo " are
rejected, but "f: oo" is not. I'm not sure about why things were
ifdef'ed out in libmisc/chkname.c, but there is probably a more elegant
solution.

This problem is also present in 4.0.18.1-5 from unstable, but I'm not
running unstable. The patch is similar, though the proper place to add a
similar patch is debian/patches/506_relaxed_usernames. I filed this bug
with Ubuntu
(https://bugs.launchpad.net/distros/ubuntu/+source/shadow/+bug/71242)
and included a patch there.

Here is a patch for sarge:

--- shadow-4.0.3/libmisc/chkname.c	2006-11-27 18:22:03.000000000 -0500
+++ shadow-4.0.3-paulv/libmisc/chkname.c	2006-11-27 18:17:50.000000000 -0500
@@ -37,12 +37,20 @@
 	}
 #endif
 	/* seeing no sufficiently good reason for the above... */
+
+	/* leading space */
+	if (*name == ' ')
+		return 0;
+
 	if (*name == '-')
 		return 1;
-	while (*++name)
+
+	while (*++name) {
+		if (*name == ' ')
+			return 0;
 		if (*name == ':')
 			return 1;
-
+	}	
 	return 1;
 }
 
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.33.1-grsec
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages passwd depends on:
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libpam-modules        0.76-22            Pluggable Authentication Modules f
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  login                 1:4.0.3-31sarge9   system login tools

-- debconf information:
  passwd/password-mismatch:
  passwd/username:
  passwd/password-empty:
  passwd/make-user: true
  passwd/md5: false
  passwd/shadow: true
  passwd/username-bad:
  passwd/user-fullname:

More information about the Pkg-shadow-devel mailing list