shadow: use relaxed usernames

The groupadd from shadow does not allow upper case group names, the
same is true for the upstream shadow. But distributions like
Debian/Ubuntu/CentOS has their own way to cope with this problem,
this patch is picked up from Fedora [1] to relax the usernames
restrictions to allow the upper case group names, and the relaxation is
POSIX compliant because POSIX indicate that usernames are composed of
characters from the portable filename character set [A-Za-z0-9._-].

[1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
This commit is contained in:
Alexander Kanavin 2022-08-16 13:46:22 +02:00 committed by Serge Hallyn
parent 9e1c0ffef4
commit cfc981df2a
3 changed files with 42 additions and 18 deletions

View File

@ -32,26 +32,44 @@ static bool is_valid_name (const char *name)
} }
/* /*
* User/group names must match [a-z_][a-z0-9_-]*[$] * User/group names must match gnu e-regex:
*/ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
*
* as a non-POSIX, extension, allow "$" as the last char for
* sake of Samba 3.x "add machine script"
*
* Also do not allow fully numeric names or just "." or "..".
*/
int numeric;
if (('\0' == *name) || if ('\0' == *name ||
!((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
'\0' == name[1])) ||
!((*name >= 'a' && *name <= 'z') ||
(*name >= 'A' && *name <= 'Z') ||
(*name >= '0' && *name <= '9') ||
*name == '_' ||
*name == '.')) {
return false; return false;
} }
numeric = isdigit(*name);
while ('\0' != *++name) { while ('\0' != *++name) {
if (!(( ('a' <= *name) && ('z' >= *name) ) || if (!((*name >= 'a' && *name <= 'z') ||
( ('0' <= *name) && ('9' >= *name) ) || (*name >= 'A' && *name <= 'Z') ||
('_' == *name) || (*name >= '0' && *name <= '9') ||
('-' == *name) || *name == '_' ||
( ('$' == *name) && ('\0' == *(name + 1)) ) *name == '.' ||
*name == '-' ||
(*name == '$' && name[1] == '\0')
)) { )) {
return false; return false;
} }
numeric &= isdigit(*name);
} }
return true; return !numeric;
} }
bool is_valid_user_name (const char *name) bool is_valid_user_name (const char *name)

View File

@ -64,10 +64,12 @@
files as needed. files as needed.
</para> </para>
<para> <para>
Groupnames must start with a lower case letter or an underscore, Groupnames may contain only lower and upper case letters, digits,
followed by lower case letters, digits, underscores, or dashes. underscores, or dashes. They can end with a dollar sign.
They can end with a dollar sign.
In regular expression terms: [a-z_][a-z0-9_-]*[$]? Dashes are not allowed at the beginning of the groupname.
Fully numeric groupnames and groupnames . or .. are
also disallowed.
</para> </para>
<para> <para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.

View File

@ -692,10 +692,14 @@
</para> </para>
<para> <para>
Usernames must start with a lower case letter or an underscore, Usernames may contain only lower and upper case letters, digits,
followed by lower case letters, digits, underscores, or dashes. underscores, or dashes. They can end with a dollar sign.
They can end with a dollar sign.
In regular expression terms: [a-z_][a-z0-9_-]*[$]? Dashes are not allowed at the beginning of the username.
Fully numeric usernames and usernames . or .. are
also disallowed. It is not recommended to use usernames beginning
with . character as their home directories will be hidden in
the <command>ls</command> output.
</para> </para>
<para> <para>
Usernames may only be up to 32 characters long. Usernames may only be up to 32 characters long.