** Changed in: ubuntu-release-notes
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric names
To manage notifica
This bug was fixed in the package shadow - 1:4.8.1-1ubuntu5.20.04.1
---
shadow (1:4.8.1-1ubuntu5.20.04.1) focal; urgency=medium
* Disallow purely numeric usernames. This includes hexadecimal
octal syntax. (LP: #1927078)
-- William 'jawn-smith' Wilson Wed, 14
Jul 2021 17:08:1
This bug was fixed in the package shadow - 1:4.8.1-1ubuntu8.1
---
shadow (1:4.8.1-1ubuntu8.1) hirsute; urgency=medium
* Disallow purely numeric usernames. This includes hexadecimal
octal syntax. (LP: #1927078)
-- William 'jawn-smith' Wilson Wed, 14
Jul 2021 16:57:59 -0500
*
Put a mention about it in the release notes for .3. Will do the same for
impish.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric names
To manag
I think it would be good to write a release note entry about this change
for Ubuntu 21.10 and possibly updating the release notes for Ubuntu
20.04.3 (if these changes make it there in time).
** Also affects: ubuntu-release-notes
Importance: Undecided
Status: New
--
You received this bu
The verification passed for focal.
jawn-smith@focal-vm:~$ apt-cache policy passwd
passwd:
Installed: 1:4.8.1-1ubuntu5.20.04
Candidate: 1:4.8.1-1ubuntu5.20.04.1
Version table:
1:4.8.1-1ubuntu5.20.04.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64
Packages
The verification passed for hirsute.
jawn-smith@lvm:~$ apt-cache policy passwd
passwd:
Installed: 1:4.8.1-1ubuntu8
Candidate: 1:4.8.1-1ubuntu8.1
Version table:
1:4.8.1-1ubuntu8.1 500
500 http://us.archive.ubuntu.com/ubuntu hirsute-proposed/main amd64
Packages
*** 1:4.8.1-1ubun
Hello Victor, or anyone else affected,
Accepted shadow into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu5.20.04.1 in
a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
ht
Unsubscribing sponsors.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric names
To manage notifications about this bug go to:
https://bugs.launch
Hello Victor, or anyone else affected,
Accepted shadow into hirsute-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu8.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:
** Description changed:
[Impact]
- * If a fully numeric username is created, it will cause
-problems with systemd. One example is that the user with
-this type of name can log in, but loginctl will not create
-a session for them.
- * This can also cause users to be unable to log
Thanks, I've sponsored the HH & FF uploads.
** Changed in: shadow (Ubuntu Focal)
Status: Fix Committed => In Progress
** Changed in: shadow (Ubuntu Hirsute)
Status: Fix Committed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
The attached patch fixes the issue in focal
** Patch added: "Focal SRU"
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+attachment/5510997/+files/lp197078_focal.debdiff
** Changed in: shadow (Ubuntu Focal)
Status: In Progress => Fix Committed
** Changed in: shadow (Ubun
The attached patch fixes the issue for hirsute.
** Patch added: "Hirsute Patch"
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+attachment/5510996/+files/lp1927078_hirsute.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
** Changed in: shadow (Ubuntu Groovy)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric names
To manage notificat
** Changed in: shadow (Ubuntu Hirsute)
Assignee: (unassigned) => William Wilson (jawn-smith)
** Changed in: shadow (Ubuntu Focal)
Assignee: (unassigned) => William Wilson (jawn-smith)
** Changed in: shadow (Ubuntu Hirsute)
Status: New => In Progress
** Changed in: shadow (Ubuntu
** Description changed:
- [Description]
+ [Impact]
+
+ * If a fully numeric username is created, it will cause
+problems with systemd. One example is that the user with
+this type of name can log in, but loginctl will not create
+a session for them.
+ * This can also cause users to
This bug was fixed in the package shadow - 1:4.8.1-1ubuntu9
---
shadow (1:4.8.1-1ubuntu9) impish; urgency=medium
* Disallow purely numeric usernames. This includes hexadecimal and
octal syntax. (LP: #1927078)
-- William 'jawn-smith' Wilson Thu, 17
Jun 2021 14:35:15 -0500
**
Thanks William, this LGTM now!
I've modified your debian/changelog and the XML/man pages a bit, to
account for the removed handling of floating point numbers. And uploaded
the package.
$ dput ubuntu ../shadow_4.8.1-1ubuntu9_source.changes
D: Setting host argument.
Checking signature on .changes
g
Per our discussion I just removed floating point checks altogether.
"0.123" is now considered valid because it is impossible to have a
floating point uid or gid so there will be no confusion with floating
point numbers. I have added those floating point numbers to the
"validUsernames" test, and add
Thank you! This one is looking pretty solid overall.
But I think the "hex detection" has some flaws, as it only checks for capital
letters and there is a discrepancy between accepting float hex numbers (which
is unexpected IMO) but rejecting float octal numbers.
Could you please test for some mo
This one adds in a check for octal representation and some test cases
for octal representation.
** Patch added: "Octal included this time"
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+attachment/5510554/+files/lp1927078_fully_numeric_and_hex_and_octal.debdiff
--
You receive
This change disallows floating point and hexadecimal representations of
numbers as well as purely numeric, which should be a good compromise.
For example, 0x0 is now invalid, as well as 0x123456789 and 0.0, while
0x0x0x0x is considered valid. It also adds these new restrictions to the
man page.
**
Beautiful, thanks for the large range of tests :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric names
To manage notifications about this bug
This patch only disallows usernames that are strictly numeric per
vorlon's comment above. It also adds more test cases for invalid
usernames such as "0123456789" and valid usernames such as "0root" and
"0.o". This time I also remembered that '0' is a digit.
** Patch added: "Fully numeric and more
It's fine for us to disallow fully-numeric usernames (including octal
and hex syntax).
It would be inappropriate, especially in SRU, to change the policy to
restrict other usernames that happen to begin with a digit.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Changed in: shadow (Ubuntu Focal)
Importance: Undecided => Low
** Changed in: shadow (Ubuntu Groovy)
Importance: Undecided => Low
** Changed in: shadow (Ubuntu Hirsute)
Importance: Undecided => Low
** Changed in: shadow (Ubuntu Impish)
Importance: Undecided => Low
--
You receive
Given that this is still under discussion I'm going to unsubscribe the
ubuntu-sponsors team.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric nam
I'd be happy to make that change and add the test cases, but I'm still
not sure which patch we landed on. I'm rather indifferent so I will
leave the discussion to others before adding those test cases to
whichever method we decide.
--
You received this bug notification because you are a member of
Thanks for looking at this @William - sorry to nitpick but I wonder if
rewriting the test as follows could make it a bit easier to parse (at
least for me I find this version easier to grok what is being tested
for):
if (*name < '1' || *name > '9')
--
You received this bug notification because yo
Ah, that explains that.
Would you mind adding tests for a few more usernames?
0root
0
00
0.0
0x0
0-0
0_0
0.o
0xo
0-o
0_o
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't
Attached is a patch that disallows fully numeric usernames while still
allowing usernames such as 91jawn-smith.
** Patch added: "Disallow Fully Numeric Patch"
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+attachment/5505363/+files/lp1927078_fully_numeric.debdiff
--
You recei
@Seth that very incorrect comment is actually part of block of upstream
code that is commented out. It doesn't apply to the more relaxed Debian
username scheme.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
Heh, a comment in Jawn's debdiff:
* User/group names must match [a-z_][a-z0-9_-]*[$]
I found period also worked fine:
root@u20:~# useradd 0.0
root@u20:~# getent passwd 0.0
0.0:x:1001:1001::/home/0.0:/bin/sh
root@u20:~# userdel 0.0
root@u20:~# getent passwd 0.0
root@u20:~# exit
I know c
The attachment "lp1927078.debdiff" seems to be a debdiff. The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff. If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if
On Wed, Jun 16, 2021 at 09:15:32PM -, Steve Langasek wrote:
> Disallowing leading numeric digits entirely would, unfortunately,
> disable a significant class of valid usernames in conflict with
> historical usage.
Admins are still able to hand-edit /etc/passwd, /etc/shadow, and mv
home directo
> I think our preference would be to disallow leading numeric digits
> entirely so that for example, 0x0 and 0o0 would be blocked as well,
> to try to prevent both user and programmatic confusion.
Disallowing leading numeric digits entirely would, unfortunately,
disable a significant class of vali
This fix for impish uses sbeattie's suggestion of simply disallowing a
numeric character at the beginning of the username. It also includes a
test case.
** Patch added: "lp1927078.debdiff"
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+attachment/5505076/+files/lp1927078.debdif
** Changed in: shadow (Ubuntu Impish)
Assignee: (unassigned) => William Wilson (jawn-smith)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric
The Ubuntu Security team is +1 on disallowing purely numeric usernames,
as they are too easily confused with UIDs.
I think our preference would be to disallow leading numeric digits
entirely so that for example, 0x0 and 0o0 would be blocked as well, to
try to prevent both user and programmatic con
** Tags added: fr-1357
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078
Title:
Don't allow useradd to use fully numeric names
To manage notifications about this bug go to:
https://bugs.launchp
I don't have a strong opinion either, but given that scripts would
ignore the warnings and the resulting numeric users are going to face
random, seemingly unrelated issues thanks to the interaction with
systemd, I think I prefer the failure.
FWIW, I've prepared a test version in a PPA[1] which kee
Maybe it should be a warning in the SRUs as opposed to a failure, but I
don't have a strong opinion. I'm a bit scared of breaking scripts. But
maybe that's a good thing.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.laun
43 matches
Mail list logo
