[Pkg-shadow-devel] Bug#1074306: useradd, adduser disagree about allowable names

[Marc Haber]

Hi,

I apologize for not coming back to this any earlier. The reason was that
I needed to think myself again into the complex autopkgtests for valid
user names which are actually generated at run-time of the tests. And
since I didn't write that code, things are even a bit harder.


On Wed, Jun 26, 2024 at 12:37:55PM +0200, Chris Hofstaedtler wrote:
> However, adduser has an explicit test to allow "bob;>/hacked", which
> now fails.

This it not the only test that has started failing.

This is a test to check whether mitigation against #940577 still works.

If I understand correctly useradd will now not accept a username with a
semicolon or a >, right? If so, I can remove the test.

We still have other tests failing because of this useradd change, and I
think that useradd upstream is being too picky here. For example,
usernames liek DOMAIN\user are reguarly used in Windows environments and
some users might want ot have the same user names on their Debian
systems. Since adduser cannot create a user that useradd would not
create, I'd like to make up our minds to what we want to allow us to
stay in sync with each other.

> Do the adduser maintainers have specific requirements in mind for
> the allowable names?
> 
> useradd is supposed to follow this regex:
>   [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
> 
> (Note that it open-codes that as a per-character check instead, but
> if that's buggy it can be fixed.)

I think we have some explanation in the manual pages. Did you look at
them? We also have adduser.conf which allows the local user to tweak the
regexps. I am open to your comments.

Greetings
Marc