[Adduser-devel] Bug#630750: Bug#630750: default NAME_REGEX value in /etc/adduser.conf is incorrect

Georgios M. Zarkadas georgios.zarkadas at gmail.com
Thu Aug 4 00:36:54 UTC 2011 

Hi,
thanks for the response, I give update information below.

Στις 24-07-2011, ημέρα Κυρ, και ώρα 14:22 +0100, ο/η Stephen Gran
έγραψε:
> ...
> >  # check user and group names also against this regular expression.
> > - -#NAME_REGEX="^[a-z][-a-z0-9_]*\$"
> > +#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
> 
> This can't be fixing it, the default is commented out.
> 
The patch was made against the file (adduser.conf) that the package
ships. It is shipped with NAME_REGEX commented out (ie check disabled). 
But if you uncomment it, thus enabling the check, then the bug appears.

However, since the package ships the file with the test disabled by
default, I could not send a patch that enables the test by default.
Thus I sent a patch that corrects the bug when someone decides to enable
the test, which is IMHO the right way to patch in such a situation. 

> > ...
> > Γίνεται εγκατάσταση hal (0.5.14-3) ...
> ...
> I wonder if this is a locale specific problem.  Can you try (in a
> chroot, whatever), installing haldaemon with a default config for
> adduser to try to reproduce it?  I am curious if it will succeed if you
> then set LANG=C and install it again.  I suspect it will install.  If
> this is the case, can you let me know?

The default config of adduser will certainly install the package since
it has the (optional) test disabled. 
The problem appears when the test is enabled. And it is not
package-specific, nor locale-specific, based on the outcomes of the
following tests (full results are presented as annex to the end):

i)   add a user from the command line, with NAME_REGEX uncommented and
set to its default (shipped with the package) value: ^[a-z][-a-z0-9_]*\$

  i-a) with my system's default locale:

	adduser foo	-->	error
	adduser foo$	-->	ok
  
  i-b) with the C locale:

	LC_ALL=C adduser bar	-->	error
	LC_ALL=C adduser bar$	-->	ok

ii)  grep a list of names with perl regular expressions enabled (since
adduser is written in perl and NAME_REGEX is a perl regex).
Although I present only the C locale case, the results where identical
in my system's default locale also.

  ii-a) with the default value: ^[a-z][-a-z0-9_]*\$        --> error
  ii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$ --> ok

iii) do the same as ii using a perl program instead of grep. Same
remarks apply.

  iii-a) with the default value: ^[a-z][-a-z0-9_]*\$        --> error
  iii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$ --> ok

As a final note, the default value (^[a-z][-a-z0-9_]*\$) simply does not
look ok when someone reads the code of the 'checkname' sub in adduser
executable (lines 864-886 as shipped with the adduser-3.112+nmu2
package).
The string in line 868 states that \$ is only allowed at the end of user
names for compatibility with Samba machines accounts. 
However, the default regex does not allow it as optional at the end but
instead it *requires* it to exist after at least one lowercase letter
and any combination of lowercase letters, numbers, dashes and
underscores.
This is certainly a bug, because apart from requiring an $ character to
appear in the name it also allows *any* other character after the $,
even invalid ones.
The ?$ that the patch adds at the end of the value makes the \$ optional
and ensures it will be (if present) the last character in the name (see
also Annex B at the end of the message).

I am at your disposal if you need additional information, the full
results of the tests follow.

regards
George Zarkadas

ANNEX A - FULL TEST RESULTS

------------------------------------------------
i)   add a user from the command line, with NAME_REGEX uncommented and
set to its default (shipped with the package) value: ^[a-z][-a-z0-9_]*\$

EXPECTED OUTCOME: all tried user names should be accepted.

  i-a) with my system's default locale:

root at freedom:/etc# adduser foo
adduser: Please enter a username matching the regular expression
configured
via the NAME_REGEX configuration variable.  Use the `--force-badname'
option to relax this check or reconfigure NAME_REGEX.

root at freedom:/etc# adduser foo$
Adding user `foo$' ...
Adding new group `foo$' (1004) ...
Adding new user `foo$' (1004) with group `foo$' ...
Creating home directory `/home/foo$' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: το συνθηματικό ενημερώθηκε επιτυχώς
Αλλαγή πληροφοριών χρήστη για τον foo$
Εισάγετε την νέα τιμή, ή πιέστε ENTER για την προκαθορισμένη
	Πλήρες όνομα []: 
	Αριθμός δωματίου []: 
	Τηλέφωνο Εργασίας []: 
	Τηλέφωνο Οικίας []: 
	Άλλο []: 
Is the information correct? [Y/n] y
Adding new user `foo$' to extra groups ...
Adding user `foo$' to group `cdrom' ...
Adding user `foo$' to group `floppy' ...
Adding user `foo$' to group `audio' ...
Adding user `foo$' to group `video' ...
Adding user `foo$' to group `plugdev' ...
Adding user `foo$' to group `fuse' ...
Adding user `foo$' to group `users' ...

  i-b) with the C locale:

root at freedom:/etc# LC_ALL=C adduser bar
adduser: Please enter a username matching the regular expression
configured
via the NAME_REGEX configuration variable.  Use the `--force-badname'
option to relax this check or reconfigure NAME_REGEX.
  
root at freedom:/etc# LC_ALL=C adduser bar$
Adding user `bar$' ...
Adding new group `bar$' (1005) ...
Adding new user `bar$' (1005) with group `bar$' ...
Creating home directory `/home/bar$' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for bar$
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
Adding new user `bar$' to extra groups ...
Adding user `bar$' to group `cdrom' ...
Adding user `bar$' to group `floppy' ...
Adding user `bar$' to group `audio' ...
Adding user `bar$' to group `video' ...
Adding user `bar$' to group `plugdev' ...
Adding user `bar$' to group `fuse' ...
Adding user `bar$' to group `users' ...

RESULT: the most simple names foo,bar were rejected (error); only the
foo$,bar$ names accepted.

------------------------------------------------
ii)  grep a list of names with perl regular expressions enabled.

EXPECTED OUTCOME: The third and sixth name should not be accepted, all
others should pass.

  ii-a) with the default value: ^[a-z][-a-z0-9_]*\$

root at freedom:/etc# (cat << "EOF"
foo
foo$
foo$a
a_50-50_
a-50_50-$
aNaccepted
EOF
) | LC_ALL=C grep -P '^[a-z][-a-z0-9_]*\$'
foo$
foo$a
a-50_50-$

RESULT: third name is included (error); first and fourth names are not
included (error).

  ii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$

root at freedom:/etc# (cat << "EOF"
foo
foo$
foo$a
a_50-50_
a-50_50-$
aNaccepted
EOF
) | LC_ALL=C grep -P '^[a-z][-a-z0-9_]*\$?$'
foo
foo$
a_50-50_
a-50_50-$

RESULT: correct.

------------------------------------------------
iii) do the same as ii using a perl program instead of grep. Same
remarks apply.

EXPECTED OUTCOME: The third and sixth name should not be accepted, all
others should pass.

  iii-a) with the default value: ^[a-z][-a-z0-9_]*\$

root at freedom:/etc# (cat << "EOF"
foo
foo$
foo$a
a_50-50_
a-50_50-$
aNaccepted
EOF
) | LC_ALL=C perl -nle 'm/^[a-z][-a-z0-9_]*\$/ && print'
foo$
foo$a
a-50_50-$

RESULT: third name is included (error); first and fourth names are not
included (error).

  iii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$

root at freedom:/etc# (cat << "EOF"
foo
foo$
foo$a
a_50-50_
a-50_50-$
aNaccepted
EOF
) | LC_ALL=C perl -nle 'm/^[a-z][-a-z0-9_]*\$?$/ && print'
foo
foo$
a_50-50_
a-50_50-$

RESULT: correct.

ANNEX B - ONE MORE TEST ABOUT ALLOWANCE FOR INVALID NAMES

Again first is the default value, second the proposed patch.

EXPECTED OUTCOME: No invalid user name should pass.

root at freedom:/etc# (cat << "EOF"
foo
foo$
foo$aGAIN
fo$$*&%#@
a${ENV/*//myfile}
aNaccepted                                                
EOF
) | LC_ALL=C perl -nle 'm/^[a-z][-a-z0-9_]*\$/ && print'
foo$
foo$aGAIN
fo$$*&%#@
a${ENV/*//myfile}

root at freedom:/etc# (cat << "EOF"
foo
foo$
foo$aGAIN
fo$$*&%#@
a${ENV/*//myfile}
aNaccepted
EOF
) | LC_ALL=C perl -nle 'm/^[a-z][-a-z0-9_]*\$?$/ && print'
foo
foo$

RESULT: default regex allows invalid names; patched regex not.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110804/dfb44190/attachment-0001.pgp>

More information about the Adduser-devel mailing list