Thank you for using Ubuntu and reporting a bug. While this behavior is
on the surface quite odd, it is not a security vulnerability because
using the useradd command is a privileged operation. Therefore if you
have privileges to add a user, you can just modify the files directly
rather than using useradd. Additionally, there is no problem with LDAP
as the useradd command cannot be used to manipulate LDAP entries (see
the man page for useradd).
Furthermore, from the useradd manpage:
"useradd is a low level utility for adding users. On Debian, administrators
should usually use adduser(8) instead."
The man page also tells you what values you should be using when using this
command:
"It is usually recommended to only use usernames that begin with a lower case
letter or an underscore, followed by lower case letters, digits, underscores,
or dashes. They can end with a dollar sign. In regular [a-z_][a-z0-9_-]*[$]?"
The recommended adduser command appropriately errors out:
$ sudo adduser "foo,bar"
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not start with
a dash (as defined by IEEE Std 1003.1-2001). For compatibility with Samba
machine accounts $ is also supported at the end of the username
As such, I am marking this as "Won't Fix". While it would arguably be
good for the useradd command to filter its input better, that is
precisely what the adduser command is for.
Thanks again and please feel free to file any other bugs you might find.
** Changed in: shadow (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/890858
Title:
user names with commas
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/890858/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
