This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
changes. It contains the difference between the new version and the
previous version of the same source package in Ubuntu.
Format: 1.8
Date: Thu, 17 Jun 2021 14:35:15 -0500
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.8.1-1ubuntu9
Distribution: impish
Urgency: medium
Maintainer: Ubuntu Developers <[email protected]>
Changed-By: William 'jawn-smith' Wilson <[email protected]>
Description:
login - system login tools
passwd - change and administer password and group data
uidmap - programs to help use subuids
Launchpad-Bugs-Fixed: 1927078
Changes:
shadow (1:4.8.1-1ubuntu9) impish; urgency=medium
.
* Disallow purely numeric usernames. This includes hexadecimal and
octal syntax. (LP: #1927078)
Checksums-Sha1:
00b71c72fbe082ecd55671d027d971653d9a952b 2345 shadow_4.8.1-1ubuntu9.dsc
2737f8057c325451234c5a08a23312a9193af15f 86872
shadow_4.8.1-1ubuntu9.debian.tar.xz
Checksums-Sha256:
59205ab6c18291ac2b6daeaddf13b0f84befccadb51641b140f91cd729a37d36 2345
shadow_4.8.1-1ubuntu9.dsc
57db560d00b7f1183a89d70b5799174bff02bf545d6b364d77b8ac32d3d50bb7 86872
shadow_4.8.1-1ubuntu9.debian.tar.xz
Files:
2ee7fa069f7a66aedb6366f85af463ac 2345 admin required shadow_4.8.1-1ubuntu9.dsc
9aeb066436d5b3e08ac3d2caada3bef2 86872 admin required
shadow_4.8.1-1ubuntu9.debian.tar.xz
Original-Maintainer: Shadow package maintainers
<[email protected]>
diff -pruN 1:4.8.1-1ubuntu8/debian/changelog 1:4.8.1-1ubuntu9/debian/changelog
--- 1:4.8.1-1ubuntu8/debian/changelog 2021-01-07 05:05:37.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/changelog 2021-06-17 19:35:15.000000000 +0000
@@ -1,3 +1,10 @@
+shadow (1:4.8.1-1ubuntu9) impish; urgency=medium
+
+ * Disallow purely numeric usernames. This includes hexadecimal and
+ octal syntax. (LP: #1927078)
+
+ -- William 'jawn-smith' Wilson <[email protected]> Thu, 17 Jun
2021 14:35:15 -0500
+
shadow (1:4.8.1-1ubuntu8) hirsute; urgency=medium
* Enable private home directories by default (LP: #48734)
diff -pruN 1:4.8.1-1ubuntu8/debian/patches/506_relaxed_usernames
1:4.8.1-1ubuntu9/debian/patches/506_relaxed_usernames
--- 1:4.8.1-1ubuntu8/debian/patches/506_relaxed_usernames 2020-02-07
15:32:06.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/patches/506_relaxed_usernames 2021-06-17
19:35:15.000000000 +0000
@@ -25,7 +25,7 @@ Details:
/*
* User/group names must match [a-z_][a-z0-9_-]*[$]
*/
-@@ -73,6 +74,26 @@
+@@ -73,7 +74,62 @@
return false;
}
}
@@ -37,24 +37,60 @@ Details:
+ *
+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
+ */
++ bool is_numeric = true;
++ bool is_hex = true;
++ bool is_octal = true;
++ /*
++ * We skip the hex and octal checks for the first two characters in the
++ * loop, and inspect them individually before the loop starts. This
++ * checks for "0x" and "0o" at the beginning of the username while still
++ * treating "x" and "o" as non-numeric characters in all other scenarios
++ */
++ int chars_checked = 0;
++
+ if ( ('\0' == *name)
+ || ('-' == *name)
+ || ('~' == *name)
+ || ('+' == *name)) {
+ return false;
+ }
++ /* if the username does not start with "0x" it is not hexadecimal */
++ if (*name != '0' || *(name + 1) != 'x') {
++ is_hex = false;
++ }
++ /* if the username does not start with "0o" it is not octal */
++ if (*name != '0' || *(name + 1) != 'o') {
++ is_octal = false;
++ }
+ do {
+ if ((':' == *name) || (',' == *name) || isspace(*name)) {
+ return false;
+ }
++ if ((*name < '0' || *name > '9')) {
++ is_numeric = false;
++ }
++ if ((*name < '0' || *name > '9') &&
++ (*name < 'A' || *name > 'F') &&
++ (*name < 'a' || *name > 'f') &&
++ chars_checked >= 2) {
++ is_hex = false;
++ }
++ if ((*name < '0' || *name > '7') && chars_checked >= 2) {
++ is_octal = false;
++ }
++ chars_checked++;
+ name++;
+ } while ('\0' != *name);
++ if (is_numeric || is_hex || is_octal) {
++ return false;
++ }
return true;
}
+
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
-@@ -662,12 +662,20 @@
+@@ -662,12 +662,25 @@
</para>
<para>
@@ -73,12 +109,17 @@ Details:
+ user's home directory.
+ </para>
+ <para>
++ On Ubuntu, the same constraints as Debian are in place, with the
++ additional constraint that the username cannot be fully numeric.
++ This includes octal and hexadecimal syntax.
++ </para>
++ <para>
Usernames may only be up to 32 characters long.
</para>
</refsect1>
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
-@@ -273,12 +273,18 @@
+@@ -273,12 +273,23 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
@@ -94,6 +135,11 @@ Details:
+ colon (':'), a comma (','), or a whitespace (space:' ',
+ end of line: '\n', tabulation: '\t', etc.).
+ </para>
++ <para>
++ On Ubuntu, the same constraints as Debian are in place, with the
++ additional constraint that the groupname cannot be fully numeric.
++ This includes octal and hexadecimal syntax.
++ </para>
+ <para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
</para>
diff -pruN 1:4.8.1-1ubuntu8/debian/tests/control
1:4.8.1-1ubuntu9/debian/tests/control
--- 1:4.8.1-1ubuntu8/debian/tests/control 2020-03-09 09:33:50.000000000
+0000
+++ 1:4.8.1-1ubuntu9/debian/tests/control 2021-06-17 19:35:15.000000000
+0000
@@ -1,2 +1,2 @@
-Tests: smoke
+Tests: smoke, numeric-username
Restrictions: needs-root, allow-stderr
diff -pruN 1:4.8.1-1ubuntu8/debian/tests/numeric-username
1:4.8.1-1ubuntu9/debian/tests/numeric-username
--- 1:4.8.1-1ubuntu8/debian/tests/numeric-username 1970-01-01
00:00:00.000000000 +0000
+++ 1:4.8.1-1ubuntu9/debian/tests/numeric-username 2021-06-17
19:35:15.000000000 +0000
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -ux
+
+# purely numeric usernames are considered invalid
+for invalidUsername in "0" "00" "0123456789" "0x0" "0x0123456789" "0o0"
"0o01234567" "0xDEADBEEF" "0xcafe42" "0xdeadbeef" "0xdeadBEEF"
+do
+ useradd $invalidUsername
+ ret=$?
+ if [ $ret -eq 0 ]
+ then
+ exit 1
+ fi
+done
+
+# usernames that start with a digit and contain other valid characters should
not fail
+for validUsername in "0root" "0123456789root" "0-0" "0_0" "0.o" "0xo" "0-o"
"0_o" "0x0x0x0" "0o0123456789" "0.0.0.0" "0x123.456.789" "0o123.456.789"
"123.456" "0.0" "0xdeadbeefjawn-smith" "0o123jawn-smith"
+do
+ useradd $validUsername
+ ret=$?
+ if [ $ret -ne 0 ]
+ then
+ exit 1
+ fi
+done
_______________________________________________
Pkg-shadow-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
