[Pkg-shadow-devel] Ubuntu shadow 1:4.8.1-1ubuntu9

Ubuntu Merge-o-Matic mom at ubuntu.com
Tue Jul 13 18:11:21 BST 2021 

This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
changes.  It contains the difference between the new version and the
previous version of the same source package in Ubuntu.
-------------- next part --------------
Format: 1.8
Date: Thu, 17 Jun 2021 14:35:15 -0500
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.8.1-1ubuntu9
Distribution: impish
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: William 'jawn-smith' Wilson <william.wilson at canonical.com>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Launchpad-Bugs-Fixed: 1927078
Changes: 
 shadow (1:4.8.1-1ubuntu9) impish; urgency=medium
 .
   * Disallow purely numeric usernames. This includes hexadecimal and
     octal syntax. (LP: #1927078)
Checksums-Sha1: 
 00b71c72fbe082ecd55671d027d971653d9a952b 2345 shadow_4.8.1-1ubuntu9.dsc
 2737f8057c325451234c5a08a23312a9193af15f 86872 shadow_4.8.1-1ubuntu9.debian.tar.xz
Checksums-Sha256: 
 59205ab6c18291ac2b6daeaddf13b0f84befccadb51641b140f91cd729a37d36 2345 shadow_4.8.1-1ubuntu9.dsc
 57db560d00b7f1183a89d70b5799174bff02bf545d6b364d77b8ac32d3d50bb7 86872 shadow_4.8.1-1ubuntu9.debian.tar.xz
Files: 
 2ee7fa069f7a66aedb6366f85af463ac 2345 admin required shadow_4.8.1-1ubuntu9.dsc
 9aeb066436d5b3e08ac3d2caada3bef2 86872 admin required shadow_4.8.1-1ubuntu9.debian.tar.xz
Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
-------------- next part --------------
diff -pruN 1:4.8.1-1ubuntu8/debian/changelog 1:4.8.1-1ubuntu9/debian/changelog
--- 1:4.8.1-1ubuntu8/debian/changelog	2021-01-07 05:05:37.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/changelog	2021-06-17 19:35:15.000000000 +0000
@@ -1,3 +1,10 @@
+shadow (1:4.8.1-1ubuntu9) impish; urgency=medium
+
+  * Disallow purely numeric usernames. This includes hexadecimal and
+    octal syntax. (LP: #1927078)
+
+ -- William 'jawn-smith' Wilson <william.wilson at canonical.com>  Thu, 17 Jun 2021 14:35:15 -0500
+
 shadow (1:4.8.1-1ubuntu8) hirsute; urgency=medium
 
   * Enable private home directories by default (LP: #48734)
diff -pruN 1:4.8.1-1ubuntu8/debian/patches/506_relaxed_usernames 1:4.8.1-1ubuntu9/debian/patches/506_relaxed_usernames
--- 1:4.8.1-1ubuntu8/debian/patches/506_relaxed_usernames	2020-02-07 15:32:06.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/patches/506_relaxed_usernames	2021-06-17 19:35:15.000000000 +0000
@@ -25,7 +25,7 @@ Details:
  	/*
  	 * User/group names must match [a-z_][a-z0-9_-]*[$]
  	 */
-@@ -73,6 +74,26 @@
+@@ -73,7 +74,62 @@
  			return false;
  		}
  	}
@@ -37,24 +37,60 @@ Details:
 +	 *
 +	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
 +	 */
++	bool is_numeric = true;
++	bool is_hex = true;
++	bool is_octal = true;
++	/*
++	 * We skip the hex and octal checks for the first two characters in the
++	 * loop, and inspect them individually before the loop starts. This
++	 * checks for "0x" and "0o" at the beginning of the username while still
++	 * treating "x" and "o" as non-numeric characters in all other scenarios
++	 */
++	int chars_checked = 0;
++
 +	if (   ('\0' == *name)
 +	    || ('-'  == *name)
 +	    || ('~'  == *name)
 +	    || ('+'  == *name)) {
 +		return false;
 +	}
++	/* if the username does not start with "0x" it is not hexadecimal */
++	if (*name != '0' || *(name + 1) != 'x') {
++		is_hex = false;
++	}
++	/* if the username does not start with "0o" it is not octal */
++	if (*name != '0' || *(name + 1) != 'o') {
++		is_octal = false;
++	}
 +	do {
 +		if ((':' == *name) || (',' == *name) || isspace(*name)) {
 +			return false;
 +		}
++		if ((*name < '0' || *name > '9')) {
++			is_numeric = false;
++		}
++		if ((*name < '0' || *name > '9') &&
++		    (*name < 'A' || *name > 'F') &&
++		    (*name < 'a' || *name > 'f') &&
++		    chars_checked >= 2) {
++			is_hex = false;
++		}
++		if ((*name < '0' || *name > '7') && chars_checked >= 2) {
++			is_octal = false;
++		}
++		chars_checked++;
 +		name++;
 +	} while ('\0' != *name);
  
++	if (is_numeric || is_hex || is_octal) {
++		return false;
++	}
  	return true;
  }
+ 
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -662,12 +662,20 @@
+@@ -662,12 +662,25 @@
      </para>
  
      <para>
@@ -73,12 +109,17 @@ Details:
 +      user's home directory.
 +    </para>
 +    <para>
++      On Ubuntu, the same constraints as Debian are in place, with the
++      additional constraint that the username cannot be fully numeric.
++      This includes octal and hexadecimal syntax.
++    </para>
++    <para>
        Usernames may only be up to 32 characters long.
      </para>
    </refsect1>
 --- a/man/groupadd.8.xml
 +++ b/man/groupadd.8.xml
-@@ -273,12 +273,18 @@
+@@ -273,12 +273,23 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>
@@ -94,6 +135,11 @@ Details:
 +       colon (':'), a comma (','), or a whitespace (space:' ',
 +       end of line: '\n', tabulation: '\t', etc.).
 +     </para>
++    <para>
++      On Ubuntu, the same constraints as Debian are in place, with the
++      additional constraint that the groupname cannot be fully numeric.
++      This includes octal and hexadecimal syntax.
++    </para>
 +     <para>
         Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
       </para>
diff -pruN 1:4.8.1-1ubuntu8/debian/tests/control 1:4.8.1-1ubuntu9/debian/tests/control
--- 1:4.8.1-1ubuntu8/debian/tests/control	2020-03-09 09:33:50.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/tests/control	2021-06-17 19:35:15.000000000 +0000
@@ -1,2 +1,2 @@
-Tests: smoke
+Tests: smoke, numeric-username
 Restrictions: needs-root, allow-stderr
diff -pruN 1:4.8.1-1ubuntu8/debian/tests/numeric-username 1:4.8.1-1ubuntu9/debian/tests/numeric-username
--- 1:4.8.1-1ubuntu8/debian/tests/numeric-username	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/tests/numeric-username	2021-06-17 19:35:15.000000000 +0000
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -ux
+
+# purely numeric usernames are considered invalid
+for invalidUsername in "0" "00" "0123456789" "0x0" "0x0123456789" "0o0" "0o01234567" "0xDEADBEEF" "0xcafe42" "0xdeadbeef" "0xdeadBEEF"
+do
+	useradd $invalidUsername
+	ret=$?
+	if [ $ret -eq 0 ]
+	then
+		exit 1
+	fi
+done
+
+# usernames that start with a digit and contain other valid characters should not fail
+for validUsername in "0root" "0123456789root" "0-0" "0_0" "0.o" "0xo" "0-o" "0_o" "0x0x0x0" "0o0123456789" "0.0.0.0" "0x123.456.789" "0o123.456.789" "123.456" "0.0" "0xdeadbeefjawn-smith" "0o123jawn-smith"
+do
+	useradd $validUsername
+	ret=$?
+	if [ $ret -ne 0 ]
+	then
+		exit 1
+	fi
+done

More information about the Pkg-shadow-devel mailing list