[Bug 890858] Re: user names with commas
Jamie Strandboge
jamie at ubuntu.com
Fri Nov 18 22:45:40 UTC 2011
** Visibility changed to: Public
** This bug is no longer flagged as a security vulnerability
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/890858
Title:
user names with commas
Status in “shadow” package in Ubuntu:
Won't Fix
Bug description:
I am using Ubuntu 10.04.3 LTS in a server production environment.
I have discovered that the useradd program accepts user names with commas, e.g. useradd "foo,bar".
This symbol is used so separate group members in /etc/group, so allowing it in a user name introduces unwanted behaviour and completely breaks group membership.
It gets worse.
Adding user "foo,bar" to the group "baz" will instead make users "foo" and "bar" members of "baz".
This seems like a serious security issue.
IMHO useradd and related utilities should never accept names with
symbols used in the internal data structure, unless character escaping
is implemented.
I do not know whether LDAP systems can be affected by this, or if it
is just local accounts.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/890858/+subscriptions
More information about the foundations-bugs
mailing list