* Marc Haber <[email protected]> [240803 15:20]: > On Fri, Aug 02, 2024 at 05:18:54PM +0200, Chris Hofstaedtler wrote: > > in #1076619 it was reported that usernames ending with backslashes > > break useradd/usermod/userdel, etc (from src:shadow). > > Allowing backslashes was a Debian patch. To fix #1076619, > > backslashes are now forbidden. However, adduser's autopkgtests > > assume that backslashes are good to use. > > Is that change in the allowed user names backed by policy?
ISTM we don't have a policy for that. > We allow backslashes in adduser to cater for some samba corner > cases where a user named domain\user is needed. > > I am kind of concerned that this tightening of src:shadow's allowed usr > name character ranges breaks actual use cases. Some time ago I surveyed the patches other distros apply to shadow, and none seem to patch the quite restrictive upstream check. > > Please stop using backslashes. > > Will do but are you sure you're doing the right thing here? Honestly, no. src:shadow is in a quite bad state and upstream is at the start of a long journey of cleaning that up. Until this is done, it seems anything we do downstream has a good chance of exposing latent bugs. I think the checks in shadow's user* tools can be bypassed by passing --badname. Maybe the broken tests in adduser should do that instead of being dropped. (IMO, users passing --badname can keep any breakage.) > Should src:adduser also adapt the regexes that define allowed characters > in user names? I think it would be great to align on the check from shadow upstream. Currently it is documented as: * User/group names must match BRE regex: * [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\? * * as a non-POSIX, extension, allow "$" as the last char for * sake of Samba 3.x "add machine script" * * Also do not allow fully numeric names or just "." or "..". That seems reasonable to me. Let me know what you think. Best, Chris
