[Pkg-shadow-devel] Bug#1074306: useradd, adduser disagree about allowable names
Chris Hofstaedtler
zeha at debian.org
Sun Nov 10 11:24:34 GMT 2024
On Mon, Oct 28, 2024 at 05:19:35PM +0100, Marc Haber wrote:
> On Wed, Jun 26, 2024 at 12:37:55PM +0200, Chris Hofstaedtler wrote:
> > However, adduser has an explicit test to allow "bob;>/hacked", which
> > now fails.
>
> This it not the only test that has started failing.
>
> This is a test to check whether mitigation against #940577 still works.
>
> If I understand correctly useradd will now not accept a username with a
> semicolon or a >, right? If so, I can remove the test.
Correct.
> We still have other tests failing because of this useradd change, and I
> think that useradd upstream is being too picky here. For example,
> usernames liek DOMAIN\user are reguarly used in Windows environments and
> some users might want ot have the same user names on their Debian
> systems. Since adduser cannot create a user that useradd would not
> create, I'd like to make up our minds to what we want to allow us to
> stay in sync with each other.
Right. As you know, mjt thinks having DOMAIN\user in /etc/passwd
does not work anymore for samba. I'm reluctant to patching support
into src:passwd, if its likely that the previous usecases do not
work anymore, regardless of passwd/adduser supporting it.
> > Do the adduser maintainers have specific requirements in mind for
> > the allowable names?
> >
> > useradd is supposed to follow this regex:
> > [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
> >
> > (Note that it open-codes that as a per-character check instead, but
> > if that's buggy it can be fixed.)
>
> I think we have some explanation in the manual pages. Did you look at
> them?
I've now checked man adduser.conf, and can see this:
| Defaults to the most conservative ^[a-z_][-a-z0-9_]*$.
This is more restrictive than what useradd now enforces.
> We also have adduser.conf which allows the local user to tweak the
> regexps.
I guess that either needs some text on what is allowable (but
defering to useradd somehow), or maybe adduser just defers all
name checking to useradd and removes the configuration options?
Chris
More information about the Pkg-shadow-devel
mailing list