From cfc981df2afc615e3792b918e9ee49e631b0a3a9 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Tue, 16 Aug 2022 13:46:22 +0200 Subject: [PATCH] shadow: use relaxed usernames The groupadd from shadow does not allow upper case group names, the same is true for the upstream shadow. But distributions like Debian/Ubuntu/CentOS has their own way to cope with this problem, this patch is picked up from Fedora [1] to relax the usernames restrictions to allow the upper case group names, and the relaxation is POSIX compliant because POSIX indicate that usernames are composed of characters from the portable filename character set [A-Za-z0-9._-]. [1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch Signed-off-by: Alexander Kanavin --- libmisc/chkname.c | 38 ++++++++++++++++++++++++++++---------- man/groupadd.8.xml | 10 ++++++---- man/useradd.8.xml | 12 ++++++++---- 3 files changed, 42 insertions(+), 18 deletions(-) diff --git a/libmisc/chkname.c b/libmisc/chkname.c index cb002a14..e31ee8c9 100644 --- a/libmisc/chkname.c +++ b/libmisc/chkname.c @@ -32,26 +32,44 @@ static bool is_valid_name (const char *name) } /* - * User/group names must match [a-z_][a-z0-9_-]*[$] - */ + * User/group names must match gnu e-regex: + * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? + * + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" + * + * Also do not allow fully numeric names or just "." or "..". + */ + int numeric; - if (('\0' == *name) || - !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { + if ('\0' == *name || + ('.' == *name && (('.' == name[1] && '\0' == name[2]) || + '\0' == name[1])) || + !((*name >= 'a' && *name <= 'z') || + (*name >= 'A' && *name <= 'Z') || + (*name >= '0' && *name <= '9') || + *name == '_' || + *name == '.')) { return false; } + numeric = isdigit(*name); + while ('\0' != *++name) { - if (!(( ('a' <= *name) && ('z' >= *name) ) || - ( ('0' <= *name) && ('9' >= *name) ) || - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) + if (!((*name >= 'a' && *name <= 'z') || + (*name >= 'A' && *name <= 'Z') || + (*name >= '0' && *name <= '9') || + *name == '_' || + *name == '.' || + *name == '-' || + (*name == '$' && name[1] == '\0') )) { return false; } + numeric &= isdigit(*name); } - return true; + return !numeric; } bool is_valid_user_name (const char *name) diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml index 26671f92..61a548f7 100644 --- a/man/groupadd.8.xml +++ b/man/groupadd.8.xml @@ -64,10 +64,12 @@ files as needed. - Groupnames must start with a lower case letter or an underscore, - followed by lower case letters, digits, underscores, or dashes. - They can end with a dollar sign. - In regular expression terms: [a-z_][a-z0-9_-]*[$]? + Groupnames may contain only lower and upper case letters, digits, + underscores, or dashes. They can end with a dollar sign. + + Dashes are not allowed at the beginning of the groupname. + Fully numeric groupnames and groupnames . or .. are + also disallowed. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. diff --git a/man/useradd.8.xml b/man/useradd.8.xml index af02a23f..9eb80bbb 100644 --- a/man/useradd.8.xml +++ b/man/useradd.8.xml @@ -692,10 +692,14 @@ - Usernames must start with a lower case letter or an underscore, - followed by lower case letters, digits, underscores, or dashes. - They can end with a dollar sign. - In regular expression terms: [a-z_][a-z0-9_-]*[$]? + Usernames may contain only lower and upper case letters, digits, + underscores, or dashes. They can end with a dollar sign. + + Dashes are not allowed at the beginning of the username. + Fully numeric usernames and usernames . or .. are + also disallowed. It is not recommended to use usernames beginning + with . character as their home directories will be hidden in + the ls output. Usernames may only be up to 32 characters long.