Georgios M. Zarkadas
2011-Jun-16 22:09 UTC
Bug#630750: default NAME_REGEX value in /etc/adduser.conf is incorrect
Package: adduser Version: 3.112+nmu2 Severity: normal Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The default value of variable NAME_REGEX shipped within the package's file /usr/share/adduser/adduser.conf (which is copied upon installation to etc/adduser.conf) is incorrect. current value / should-be value (the patch - append "?$" to it): - --- adduser.conf 2011-06-17 00:51:05.718593580 +0300 +++ adduser.conf 2011-06-17 00:51:32.282093072 +0300 @@ -82,4 +82,4 @@ # check user and group names also against this regular expression. - -#NAME_REGEX="^[a-z][-a-z0-9_]*\$" +#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$" The problem realised when tried to install hal (which installs user haldaemon) with the regex enabled and it failed to install with the following message: - --------------- Γίνεται εγκατάσταση hal (0.5.14-3) ... adduser: Please enter a username matching the regular expression configured via the NAME_REGEX configuration variable. Use the `--force-badname' option to relax this check or reconfigure NAME_REGEX. dpkg: σφάλμα στην επεξεργασία του hal (--configure): η υποδιεργασία installed post-installation script επέστρεψε κατάσταση λάθους 1 - --------------- After checking the postinst script of hal package I didn't found anything suspicious in its adduser invocation, nor on the tried out username (haldaemon) so I started to study the adduser source code. Seeing the 'checkname' routine and the initial test expression, I finally came up with the patch which was tried and hal installation succeeded. regards George Zarkadas - -- System Information: Debian Release: 6.0.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (450, 'testing-proposed-updates'), (450, 'testing'), (400, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=el_GR.utf8, LC_CTYPE=el_GR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages adduser depends on: ii debconf [de 1.5.36.1 Debian configuration management sy ii passwd 1:4.1.4.2+svn3283-2+squeeze1 change and administer password and ii perl-base 5.10.1-17 minimal Perl system adduser recommends no packages. Versions of packages adduser suggests: ii liblocale-gettext-perl 1.05-6 Using libc functions for internati ii perl-modules 5.10.1-17 Core Perl modules - -- debconf information: adduser/homedir-permission: true -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJN+n7xAAoJEJWXIVmJ5BwWjvYIAKJu5Jojf+N4hTijmTr7fsFT PnbNa5WEpAPWsP38zP+vo/V/CPHP9+tlm0HlspXdWVcG9IsW7FD0CbrI9yQqibSk 9cDpOcNnDSuJhjTrRlKN47m9pDcn0Soj+1GalSS55Th54f2vQEHv/xv60IhGHc0h A7TATZCrGQdmuLWe/vA5fFTgz6obcqydExStceq1WhfLdUfn1c/nMkrqKRuxD4zA bUj0v/ZBADxIwv+reFMBt22JD/RbBp4zYbqMPvvRuC9zbGXKSJoasPmKgbd+nN9l +DBy/hD74gOFz9VUw9bRdt2XTWIzuwPZ4lWq1vvsiDHOgZkdUSpnX51j4H+5AGY=kxu5 -----END PGP SIGNATURE----- _______________________________________________ Adduser-devel mailing list Adduser-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/adduser-devel
Stephen Gran
2011-Jul-24 13:22 UTC
[Adduser-devel] Bug#630750: Bug#630750: default NAME_REGEX value in /etc/adduser.conf is incorrect
tags -patch thanks Hi, This one time, at band camp, Georgios M. Zarkadas said:> The default value of variable NAME_REGEX shipped within the package''s file > /usr/share/adduser/adduser.conf (which is copied upon installation to > etc/adduser.conf) is incorrect. > > current value / should-be value (the patch - append "?$" to it): > > - --- adduser.conf 2011-06-17 00:51:05.718593580 +0300 > +++ adduser.conf 2011-06-17 00:51:32.282093072 +0300 > @@ -82,4 +82,4 @@ > > > # check user and group names also against this regular expression. > - -#NAME_REGEX="^[a-z][-a-z0-9_]*\$" > +#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"This can''t be fixing it, the default is commented out.> The problem realised when tried to install hal (which installs user haldaemon) > with the regex enabled and it failed to install with the following message: > > - --------------- > ??????? ??????????? hal (0.5.14-3) ... > adduser: Please enter a username matching the regular expression configured > via the NAME_REGEX configuration variable. Use the `--force-badname'' > option to relax this check or reconfigure NAME_REGEX. > dpkg: ?????? ???? ??????????? ??? hal (--configure): > ? ???????????? installed post-installation script ????????? ????????? ?????? 1 > - --------------- > > After checking the postinst script of hal package I didn''t found anything > suspicious in its adduser invocation, nor on the tried out username (haldaemon) > so I started to study the adduser source code. > > Seeing the ''checkname'' routine and the initial test expression, I finally came > up with the patch which was tried and hal installation succeeded.I wonder if this is a locale specific problem. Can you try (in a chroot, whatever), installing haldaemon with a default config for adduser to try to reproduce it? I am curious if it will succeed if you then set LANG=C and install it again. I suspect it will install. If this is the case, can you let me know? Cheers, -- ----------------------------------------------------------------- | ,''''`. Stephen Gran | | : :'' : sgran at debian.org | | `. `'' Debian user, admin, and developer | | `- http://www.debian.org | ----------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110724/90a2eaf6/attachment.pgp>
Georgios M. Zarkadas
2011-Aug-04 00:36 UTC
[Adduser-devel] Bug#630750: Bug#630750: default NAME_REGEX value in /etc/adduser.conf is incorrect
Hi, thanks for the response, I give update information below. ???? 24-07-2011, ????? ???, ??? ??? 14:22 +0100, ?/? Stephen Gran ??????:> ... > > # check user and group names also against this regular expression. > > - -#NAME_REGEX="^[a-z][-a-z0-9_]*\$" > > +#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$" > > This can''t be fixing it, the default is commented out. >The patch was made against the file (adduser.conf) that the package ships. It is shipped with NAME_REGEX commented out (ie check disabled). But if you uncomment it, thus enabling the check, then the bug appears. However, since the package ships the file with the test disabled by default, I could not send a patch that enables the test by default. Thus I sent a patch that corrects the bug when someone decides to enable the test, which is IMHO the right way to patch in such a situation.> > ... > > ??????? ??????????? hal (0.5.14-3) ... > ... > I wonder if this is a locale specific problem. Can you try (in a > chroot, whatever), installing haldaemon with a default config for > adduser to try to reproduce it? I am curious if it will succeed if you > then set LANG=C and install it again. I suspect it will install. If > this is the case, can you let me know?The default config of adduser will certainly install the package since it has the (optional) test disabled. The problem appears when the test is enabled. And it is not package-specific, nor locale-specific, based on the outcomes of the following tests (full results are presented as annex to the end): i) add a user from the command line, with NAME_REGEX uncommented and set to its default (shipped with the package) value: ^[a-z][-a-z0-9_]*\$ i-a) with my system''s default locale: adduser foo --> error adduser foo$ --> ok i-b) with the C locale: LC_ALL=C adduser bar --> error LC_ALL=C adduser bar$ --> ok ii) grep a list of names with perl regular expressions enabled (since adduser is written in perl and NAME_REGEX is a perl regex). Although I present only the C locale case, the results where identical in my system''s default locale also. ii-a) with the default value: ^[a-z][-a-z0-9_]*\$ --> error ii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$ --> ok iii) do the same as ii using a perl program instead of grep. Same remarks apply. iii-a) with the default value: ^[a-z][-a-z0-9_]*\$ --> error iii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$ --> ok As a final note, the default value (^[a-z][-a-z0-9_]*\$) simply does not look ok when someone reads the code of the ''checkname'' sub in adduser executable (lines 864-886 as shipped with the adduser-3.112+nmu2 package). The string in line 868 states that \$ is only allowed at the end of user names for compatibility with Samba machines accounts. However, the default regex does not allow it as optional at the end but instead it *requires* it to exist after at least one lowercase letter and any combination of lowercase letters, numbers, dashes and underscores. This is certainly a bug, because apart from requiring an $ character to appear in the name it also allows *any* other character after the $, even invalid ones. The ?$ that the patch adds at the end of the value makes the \$ optional and ensures it will be (if present) the last character in the name (see also Annex B at the end of the message). I am at your disposal if you need additional information, the full results of the tests follow. regards George Zarkadas ANNEX A - FULL TEST RESULTS ------------------------------------------------ i) add a user from the command line, with NAME_REGEX uncommented and set to its default (shipped with the package) value: ^[a-z][-a-z0-9_]*\$ EXPECTED OUTCOME: all tried user names should be accepted. i-a) with my system''s default locale: root at freedom:/etc# adduser foo adduser: Please enter a username matching the regular expression configured via the NAME_REGEX configuration variable. Use the `--force-badname'' option to relax this check or reconfigure NAME_REGEX. root at freedom:/etc# adduser foo$ Adding user `foo$'' ... Adding new group `foo$'' (1004) ... Adding new user `foo$'' (1004) with group `foo$'' ... Creating home directory `/home/foo$'' ... Copying files from `/etc/skel'' ... Enter new UNIX password: Retype new UNIX password: passwd: ?? ??????????? ??????????? ???????? ?????? ??????????? ?????? ??? ??? foo$ ???????? ??? ??? ????, ? ?????? ENTER ??? ??? ?????????????? ?????? ????? []: ??????? ???????? []: ???????? ???????? []: ???????? ?????? []: ???? []: Is the information correct? [Y/n] y Adding new user `foo$'' to extra groups ... Adding user `foo$'' to group `cdrom'' ... Adding user `foo$'' to group `floppy'' ... Adding user `foo$'' to group `audio'' ... Adding user `foo$'' to group `video'' ... Adding user `foo$'' to group `plugdev'' ... Adding user `foo$'' to group `fuse'' ... Adding user `foo$'' to group `users'' ... i-b) with the C locale: root at freedom:/etc# LC_ALL=C adduser bar adduser: Please enter a username matching the regular expression configured via the NAME_REGEX configuration variable. Use the `--force-badname'' option to relax this check or reconfigure NAME_REGEX. root at freedom:/etc# LC_ALL=C adduser bar$ Adding user `bar$'' ... Adding new group `bar$'' (1005) ... Adding new user `bar$'' (1005) with group `bar$'' ... Creating home directory `/home/bar$'' ... Copying files from `/etc/skel'' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for bar$ Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y Adding new user `bar$'' to extra groups ... Adding user `bar$'' to group `cdrom'' ... Adding user `bar$'' to group `floppy'' ... Adding user `bar$'' to group `audio'' ... Adding user `bar$'' to group `video'' ... Adding user `bar$'' to group `plugdev'' ... Adding user `bar$'' to group `fuse'' ... Adding user `bar$'' to group `users'' ... RESULT: the most simple names foo,bar were rejected (error); only the foo$,bar$ names accepted. ------------------------------------------------ ii) grep a list of names with perl regular expressions enabled. EXPECTED OUTCOME: The third and sixth name should not be accepted, all others should pass. ii-a) with the default value: ^[a-z][-a-z0-9_]*\$ root at freedom:/etc# (cat << "EOF" foo foo$ foo$a a_50-50_ a-50_50-$ aNaccepted EOF ) | LC_ALL=C grep -P ''^[a-z][-a-z0-9_]*\$'' foo$ foo$a a-50_50-$ RESULT: third name is included (error); first and fourth names are not included (error). ii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$ root at freedom:/etc# (cat << "EOF" foo foo$ foo$a a_50-50_ a-50_50-$ aNaccepted EOF ) | LC_ALL=C grep -P ''^[a-z][-a-z0-9_]*\$?$'' foo foo$ a_50-50_ a-50_50-$ RESULT: correct. ------------------------------------------------ iii) do the same as ii using a perl program instead of grep. Same remarks apply. EXPECTED OUTCOME: The third and sixth name should not be accepted, all others should pass. iii-a) with the default value: ^[a-z][-a-z0-9_]*\$ root at freedom:/etc# (cat << "EOF" foo foo$ foo$a a_50-50_ a-50_50-$ aNaccepted EOF ) | LC_ALL=C perl -nle ''m/^[a-z][-a-z0-9_]*\$/ && print'' foo$ foo$a a-50_50-$ RESULT: third name is included (error); first and fourth names are not included (error). iii-b) with the value of the patch: ^[a-z][-a-z0-9_]*\$?$ root at freedom:/etc# (cat << "EOF" foo foo$ foo$a a_50-50_ a-50_50-$ aNaccepted EOF ) | LC_ALL=C perl -nle ''m/^[a-z][-a-z0-9_]*\$?$/ && print'' foo foo$ a_50-50_ a-50_50-$ RESULT: correct. ANNEX B - ONE MORE TEST ABOUT ALLOWANCE FOR INVALID NAMES Again first is the default value, second the proposed patch. EXPECTED OUTCOME: No invalid user name should pass. root at freedom:/etc# (cat << "EOF" foo foo$ foo$aGAIN fo$$*&%#@ a${ENV/*//myfile} aNaccepted EOF ) | LC_ALL=C perl -nle ''m/^[a-z][-a-z0-9_]*\$/ && print'' foo$ foo$aGAIN fo$$*&%#@ a${ENV/*//myfile} root at freedom:/etc# (cat << "EOF" foo foo$ foo$aGAIN fo$$*&%#@ a${ENV/*//myfile} aNaccepted EOF ) | LC_ALL=C perl -nle ''m/^[a-z][-a-z0-9_]*\$?$/ && print'' foo foo$ RESULT: default regex allows invalid names; patched regex not. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110804/dfb44190/attachment-0001.pgp>