Red Hat Bugzilla – Bug 448408
Incorrect test for invalid group/user names
Last modified: 2008-06-03 08:11:38 EDT
Description of problem: The regexp used in "group" to test whether a group name is valid, and in "passwd" to test whether a user name is valid, is incorrect. The correct test (used uniformly in Fedora packages such as libuser and shadow) is: * total length <= UT_NAMESIZE - 1 * allowed characters are [a-zA-Z0-9], '.', '_', '-' * first character is not a hyphen * in addition to the other allowed characters, the last character may be a '$'. Version-Release number of selected component (if applicable): sectool-0.7.4-1.i386
Thanks for the report.. Fixed in commits http://git.fedorahosted.org/git/sectool.git/?p=sectool.git;a=commit;h=e6cdbc15694cc7aea0c6ba9e451eaec48a6d6358 and http://git.fedorahosted.org/git/sectool.git/?p=sectool.git;a=commit;h=f4a36885b1302a883d439c612c5a8aec2c9bc95d I watched chkname.c in shadow-utils and I found that even upper-case letters are not allowed.. so the regex, with which I test it now, is '^[a-z_][a-z0-9_-]*[$]?$'
Please check shadow-4.1.2-goodname.patch, which is used in our packages. The rules used by the patch are those I posted above.
OK, I used the regex from the shadow goodname patch, so now it is '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'. (I don't test the length in regex, but in another condition to give the user better error message about the problem).