diff options
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/Relax-usernames-groupnames-checking.patch | 125 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/watch | 1 |
4 files changed, 135 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 557e843..d7f551b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +shadow (1:4.15.2-3) unstable; urgency=medium + + * d/watch: add versionmangle for -rc + * Revert "Use upstream's restrictions on user- and group names again". + Breaks adduser's tests, see #1074306. + + -- Chris Hofstaedtler <zeha@debian.org> Wed, 26 Jun 2024 12:40:34 +0200 + shadow (1:4.15.2-2) unstable; urgency=medium * useradd(8): Fix missing paragraph on username length diff --git a/debian/patches/Relax-usernames-groupnames-checking.patch b/debian/patches/Relax-usernames-groupnames-checking.patch new file mode 100644 index 0000000..8e00d43 --- /dev/null +++ b/debian/patches/Relax-usernames-groupnames-checking.patch @@ -0,0 +1,125 @@ +From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org> +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Relax usernames/groupnames checking + +Allows any non-empty user/grounames that don't contain ':', ',' or '\n' +characters and don't start with '-', '+', or '~'. This patch is more +restrictive than original Karl's version. closes: #264879 +Also closes: #377844 + +Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): + +I can't come up with a good justification as to why characters other +than ':'s and '\0's should be disallowed in group and usernames (other +than '-' as the leading character). Thus, the maintenance tools don't +anymore. closes: #79682, #166798, #171179 + +Status wrt upstream: Debian specific. Not to be used upstream + +Gbp-Topic: debian +--- + lib/chkname.c | 47 +++++++++++++++-------------------------------- + man/groupadd.8.xml | 6 ++++++ + man/useradd.8.xml | 8 ++++++++ + 3 files changed, 29 insertions(+), 32 deletions(-) + +diff --git a/lib/chkname.c b/lib/chkname.c +index 995562f..d9678c6 100644 +--- a/lib/chkname.c ++++ b/lib/chkname.c +@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name) + } + + /* +- * User/group names must match BRE regex: +- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\? +- * +- * as a non-POSIX, extension, allow "$" as the last char for +- * sake of Samba 3.x "add machine script" +- * +- * Also do not allow fully numeric names or just "." or "..". +- */ +- int numeric; +- +- if ('\0' == *name || +- ('.' == *name && (('.' == name[1] && '\0' == name[2]) || +- '\0' == name[1])) || +- !((*name >= 'a' && *name <= 'z') || +- (*name >= 'A' && *name <= 'Z') || +- (*name >= '0' && *name <= '9') || +- *name == '_' || +- *name == '.')) { ++ * POSIX indicate that usernames are composed of characters from the ++ * portable filename character set [A-Za-z0-9._-], and that the hyphen ++ * should not be used as the first character of a portable user name. ++ * ++ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$ ++ */ ++ if ( ('\0' == *name) ++ || ('-' == *name) ++ || ('~' == *name) ++ || ('+' == *name)) { + return false; + } + +- numeric = isdigit(*name); +- +- while ('\0' != *++name) { +- if (!((*name >= 'a' && *name <= 'z') || +- (*name >= 'A' && *name <= 'Z') || +- (*name >= '0' && *name <= '9') || +- *name == '_' || +- *name == '.' || +- *name == '-' || +- (*name == '$' && name[1] == '\0') +- )) { ++ do { ++ if ((':' == *name) || (',' == *name) || isspace(*name)) { + return false; + } +- numeric &= isdigit(*name); +- } ++ name++; ++ } while ('\0' != *name); + +- return !numeric; ++ return true; + } + + +diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml +index 61a548f..d472bd0 100644 +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -71,6 +71,12 @@ + Fully numeric groupnames and groupnames . or .. are + also disallowed. + </para> ++ <para> ++ On Debian, the only constraints are that groupnames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space:' ', ++ end of line: '\n', tabulation: '\t', etc.). ++ </para> + <para> + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + </para> +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index 17987a6..c98b214 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -735,6 +735,14 @@ + <para> + Usernames may only be up to 256 characters long. + </para> ++ <para> ++ On Debian, the only constraints are that usernames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space: ' ', ++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash ++ ('/') may break the default algorithm for the definition of the ++ user's home directory. ++ </para> + </refsect1> + + <refsect1 id='configuration'> diff --git a/debian/patches/series b/debian/patches/series index e11ce1a..3579d32 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ Set-group-and-mode-for-g-shadow-files.patch Keep-using-Debian-adduser-defaults.patch Document-the-shadowconfig-utility.patch Recommend-using-adduser-and-deluser.patch +Relax-usernames-groupnames-checking.patch diff --git a/debian/watch b/debian/watch index e71adb7..f34a05d 100644 --- a/debian/watch +++ b/debian/watch @@ -1,6 +1,7 @@ version=4 opts=downloadurlmangle=s/archive\/refs\/tags\/(.*)\.tar\.gz/releases\/download\/$1\/@PACKAGE@-$1\.tar\.xz/,\ pgpsigurlmangle=s/$/.asc/,\ + versionmangle=s/-(alpha|beta|rc)/~$1/,\ dversionmangle=s/\+dfsg1//,repacksuffix=+dfsg1 \ https://github.com/shadow-maint/@PACKAGE@/tags \ /shadow-maint/@PACKAGE@/archive/refs/tags/([^v].*)\.tar\.gz |