shadow: use relaxed usernames

The groupadd from shadow does not allow upper case group names, the same is true for the upstream shadow. But distributions like Debian/Ubuntu/CentOS has their own way to cope with this problem, this patch is picked up from Fedora [1] to relax the usernames restrictions to allow the upper case group names, and the relaxation is POSIX compliant because POSIX indicate that usernames are composed of characters from the portable filename character set [A-Za-z0-9._-]. [1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch Signed-off-by: Alexander Kanavin <alex@linutronix.de>
2022-08-16 13:46:22 +02:00 · 2022-08-16 13:46:22 +02:00 · cfc981df2a
commit cfc981df2a
parent 9e1c0ffef4
3 changed files with 42 additions and 18 deletions
--- a/libmisc/chkname.c
+++ b/libmisc/chkname.c
@ -32,26 +32,44 @@ static bool is_valid_name (const char *name)
 	}
 	/*
-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+         * User/group names must match gnu e-regex:
-	 */
+         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
         *
         * as a non-POSIX, extension, allow "$" as the last char for
         * sake of Samba 3.x "add machine script"
         *
         * Also do not allow fully numeric names or just "." or "..".
         */
 	int numeric;
-	if (('\0' == *name) ||
+	if ('\0' == *name ||
-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
 			      '\0' == name[1])) ||
 	    !((*name >= 'a' && *name <= 'z') ||
 	      (*name >= 'A' && *name <= 'Z') ||
 	      (*name >= '0' && *name <= '9') ||
 	      *name == '_' ||
 	      *name == '.')) {
 		return false;
 	}
 	numeric = isdigit(*name);
 	while ('\0' != *++name) {
-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+		if (!((*name >= 'a' && *name <= 'z') ||
-		      ( ('0' <= *name) && ('9' >= *name) ) ||
+		      (*name >= 'A' && *name <= 'Z') ||
-		      ('_' == *name) ||
+		      (*name >= '0' && *name <= '9') ||
-		      ('-' == *name) ||
+		      *name == '_' ||
-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+		      *name == '.' ||
 		      *name == '-' ||
 		      (*name == '$' && name[1] == '\0')
 		     )) {
 			return false;
 		}
 		numeric &= isdigit(*name);
 	}
-	return true;
+	return !numeric;
 }
 bool is_valid_user_name (const char *name)
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
@ -64,10 +64,12 @@
      files as needed.
    </para>
     <para>
-       Groupnames must start with a lower case letter or an underscore,
+       Groupnames may contain only lower and upper case letters, digits,
-       followed by lower case letters, digits, underscores, or dashes.
+       underscores, or dashes. They can end with a dollar sign.
-       They can end with a dollar sign.
+
-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+       Dashes are not allowed at the beginning of the groupname.
       Fully numeric groupnames and groupnames . or .. are
       also disallowed.
     </para>
     <para>
       Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@ -692,10 +692,14 @@
    </para>
    <para>
-      Usernames must start with a lower case letter or an underscore,
+      Usernames may contain only lower and upper case letters, digits,
-      followed by lower case letters, digits, underscores, or dashes.
+      underscores, or dashes. They can end with a dollar sign.
-      They can end with a dollar sign.
+
-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+      Dashes are not allowed at the beginning of the username.
      Fully numeric usernames and usernames . or .. are
      also disallowed. It is not recommended to use usernames beginning
      with . character as their home directories will be hidden in
      the <command>ls</command> output.
    </para>
    <para>
      Usernames may only be up to 32 characters long.