[Pkg-shadow-devel] [Git][debian/adduser][wip/new-shadow] 2 commits: Depend on passwd 1:4.19.0-2

[Marc Haber (@zugschlus)]

Marc Haber pushed to branch wip/new-shadow at Debian / adduser


Commits:
9f191f0d by Marc Haber at 2026-01-10T20:46:14+01:00
Depend on passwd 1:4.19.0-2

src:shadow 4.19.0 has tightened its user name checks. Our check
for the crontab hijack vulnerability is therefore no longer possible.
The change to src:shadow prevents that vulnerability earlier than we
could, so we depend on that version now.

- - - - -
5c05dc83 by Marc Haber at 2026-01-10T20:52:17+01:00
Give chpasswd test values that it will accept

This is to work around the more picky chpasswd in new src:shadow

- - - - -


2 changed files:

- debian/control
- debian/tests/f/adduser_system.t


Changes:

=====================================
debian/control
=====================================
@@ -13,7 +13,7 @@ Package: adduser
 Architecture: all
 Multi-Arch: foreign
 Pre-Depends: ${misc:Pre-Depends}
-Depends: passwd (>= 1:4.17.2-5), ${misc:Depends}
+Depends: passwd (>= 1:4.19.0-4), ${misc:Depends}
 Suggests: liblocale-gettext-perl, perl, cron, quota
 Description: add and remove users and groups
  This package includes the 'adduser' and 'deluser' commands for creating


=====================================
debian/tests/f/adduser_system.t
=====================================
@@ -204,9 +204,9 @@ assert_command_success(
 assert_user_exists('aust');
 assert_user_is_system('aust');
 
-system('echo "aust:!foobar" | chpasswd --encrypted');
-# with #1099734 fixed, this should fail
-assert_command_result_silent(RET_WRONG_OBJECT_PROPERTIES,
+system('echo "aust:!" | chpasswd --encrypted');
+ok(1, "set passwd to !");
+assert_command_success(
     '/usr/sbin/adduser',
     '--stdoutmsglevel=error', '--stderrmsglevel=error',
     '--system',
@@ -216,9 +216,11 @@ assert_command_result_silent(RET_WRONG_OBJECT_PROPERTIES,
 assert_user_exists('aust');
 assert_user_is_system('aust');
 
-system('echo "aust:*foobar" | chpasswd --encrypted');
-ok(1, "set passwd to *foobar");
-assert_command_success(
+# $ mkpasswd --hash=yescrypt foobar
+# $y$j9T$dDqPXxXOCZL14/3jiuscW.$P8VGTWHqO1.qLOJs5Mas7Vzj3Ni9Es3QhACrVa0Z5Z3
+system(qq{echo 'aust:!\$y\$j9T\$dDqPXxXOCZL14/3jiuscW.\$P8VGTWHqO1.qLOJs5Mas7Vzj3Ni9Es3QhACrVa0Z5Z3' | chpasswd --encrypted});
+ok(1, "set passwd to !foobar");
+assert_command_result_silent(RET_WRONG_OBJECT_PROPERTIES,
     '/usr/sbin/adduser',
     '--stdoutmsglevel=error', '--stderrmsglevel=error',
     '--system',
@@ -227,12 +229,20 @@ assert_command_success(
 );
 assert_user_exists('aust');
 assert_user_is_system('aust');
-assert_command_success(
-    '/usr/sbin/deluser',
+
+# $ mkpasswd --hash=yescrypt foobar
+# $y$j9T$dDqPXxXOCZL14/3jiuscW.$P8VGTWHqO1.qLOJs5Mas7Vzj3Ni9Es3QhACrVa0Z5Z3
+system(qq{echo 'aust:*\$y\$j9T\$dDqPXxXOCZL14/3jiuscW.\$P8VGTWHqO1.qLOJs5Mas7Vzj3Ni9Es3QhACrVa0Z5Z3' | chpasswd --encrypted});
+ok(1, "set passwd to *foobar");
+assert_command_result_silent(RET_WRONG_OBJECT_PROPERTIES,
+    '/usr/sbin/adduser',
     '--stdoutmsglevel=error', '--stderrmsglevel=error',
     '--system',
+    '--disabled-login',
     'aust'
 );
+assert_user_exists('aust');
+assert_user_is_system('aust');
 
 # ref #100032
 # test --home



View it on GitLab: https://salsa.debian.org/debian/adduser/-/compare/c7c52b6c3074b28eccacb473588550530ee0777b...5c05dc83c4450a6f2bc044104599095f0038f666

-- 
View it on GitLab: https://salsa.debian.org/debian/adduser/-/compare/c7c52b6c3074b28eccacb473588550530ee0777b...5c05dc83c4450a6f2bc044104599095f0038f666
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/attachments/20260110/7cce19bf/attachment-0001.htm>