[Pkg-shadow-devel] Bug#1074306: useradd, adduser disagree about allowable names

Sun Nov 10 12:29:53 GMT 2024

On Sun, Nov 10, 2024 at 12:24:34PM +0100, Chris Hofstaedtler wrote:
> On Mon, Oct 28, 2024 at 05:19:35PM +0100, Marc Haber wrote:
> > We still have other tests failing because of this useradd change, and I
> > think that useradd upstream is being too picky here. For example,
> > usernames liek DOMAIN\user are reguarly used in Windows environments and
> > some users might want ot have the same user names on their Debian
> > systems. Since adduser cannot create a user that useradd would not
> > create, I'd like to make up our minds to what we want to allow us to
> > stay in sync with each other.
> 
> Right. As you know, mjt thinks having DOMAIN\user in /etc/passwd
> does not work anymore for samba. I'm reluctant to patching support
> into src:passwd, if its likely that the previous usecases do not
> work anymore, regardless of passwd/adduser supporting it.

I understand.

> > > Do the adduser maintainers have specific requirements in mind for
> > > the allowable names?
> > > 
> > > useradd is supposed to follow this regex:
> > >   [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
> > > 
> > > (Note that it open-codes that as a per-character check instead, but
> > > if that's buggy it can be fixed.)
> > 
> > I think we have some explanation in the manual pages. Did you look at
> > them?
> 
> I've now checked man adduser.conf, and can see this:
> 
> | Defaults to the most conservative ^[a-z_][-a-z0-9_]*$.
> 
> This is more restrictive than what useradd now enforces.

Yes, but it is just the default, allowing the local admin to override.
useradd's restrictions cannot be overridden by configuratoin (can they?)
and should thus be more liberal.

> > We also have adduser.conf which allows the local user to tweak the
> > regexps.
> 
> I guess that either needs some text on what is allowable (but
> defering to useradd somehow), or maybe adduser just defers all
> name checking to useradd and removes the configuration options?

That would be the best option, but it would need a possiblity to
distinguish useradd not liking the name from another random error
condition, thus require a dedicated exit code from useradd. I'd rather
not parse useradd's stderr to find out what's wrong.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421