212136 – Mismatch of allowed usernames between useradd and pam_unix

Bug 212136 - Mismatch of allowed usernames between useradd and pam_unix

Summary: Mismatch of allowed usernames between useradd and pam_unix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Jay Turner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-25 09:29 UTC by Bastien Nocera
Modified:	2015-01-08 00:14 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHBA-2007-0300
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-01 17:24:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0300	0	normal	SHIPPED_LIVE	pam bug fix update	2007-05-01 17:22:38 UTC

Description Bastien Nocera 2006-10-25 09:29:48 UTC

(This happens in FC6 and RHEL5 as well)

# useradd _foo
# passwd _foo
Changing password for user _foo.
passwd: Authentication token manipulation error

From pam_unix_passwd.c:
       /*
        * First get the name of a user
        */
       retval = pam_get_user(pamh, &user, "Username: ");
       if (retval == PAM_SUCCESS) {
               /*
                * Various libraries at various times have had bugs related to
                * '+' or '-' as the first character of a user name. Don't take
                * any chances here. Require that the username starts with an
                * alphanumeric character.
                */
               if (user == NULL || !isalnum(*user)) {
                       _log_err(LOG_ERR, pamh, "bad username [%s]", user);
                       return PAM_USER_UNKNOWN;
               }

useradd should be modified to allow the same usernames as pam_unix (or vice-versa).

Comment 1 Peter Vrabec 2006-10-25 12:00:18 UTC

Another option is to fix it on PAM side.

Comment 2 Tomas Mraz 2006-10-25 12:15:43 UTC

Useradd allows [a-zA-Z0-9_.] as first character. We should allow the same in PAM.

Comment 3 RHEL Program Management 2006-10-25 12:25:13 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Peter Vrabec 2006-10-25 12:28:36 UTC

also luseradd supports "_ " as the first character of a user name.
# luseradd _foo
# echo $?
0

Comment 5 Jay Turner 2006-10-25 12:54:06 UTC

QE ack for 4.5.

Comment 10 Linus Swälas 2007-01-12 12:49:00 UTC

To be conformant with IEEE 1003.1-2004, and probable 2001 too, a username should
consist of characters from the "Portable Filename Character Set". The set
consists of all alphanumeric characters and ._-. (Dot, underscore and hyphen).
To be conformant, it should not begin with a hyphen.

For those of you who can't wait for a fix of this you can fix it
yourselves: 
In pam_unix_passwd.c and pam_unix_auth.c you can replace the lines:
if (user == NULL || !isalnum(*user)) {
with:
if (user == NULL || (!isalnum(*user) && (*user !='_' && *user !='.'))) {
and then rebuild your PAM package.

Comment 16 Red Hat Bugzilla 2007-05-01 17:24:50 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0300.html

Note You need to log in before you can comment on or make changes to this bug.