[Bug 890858] Re: user names with commas
Jamie Strandboge
jamie at ubuntu.com
Fri Nov 18 22:53:33 UTC 2011
Thank you for using Ubuntu and reporting a bug. While this behavior is
on the surface quite odd, it is not a security vulnerability because
using the useradd command is a privileged operation. Therefore if you
have privileges to add a user, you can just modify the files directly
rather than using useradd. Additionally, there is no problem with LDAP
as the useradd command cannot be used to manipulate LDAP entries (see
the man page for useradd).
Furthermore, from the useradd manpage:
"useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead."
The man page also tells you what values you should be using when using this command:
"It is usually recommended to only use usernames that begin with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. In regular [a-z_][a-z0-9_-]*[$]?"
The recommended adduser command appropriately errors out:
$ sudo adduser "foo,bar"
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not start with
a dash (as defined by IEEE Std 1003.1-2001). For compatibility with Samba
machine accounts $ is also supported at the end of the username
As such, I am marking this as "Won't Fix". While it would arguably be
good for the useradd command to filter its input better, that is
precisely what the adduser command is for.
Thanks again and please feel free to file any other bugs you might find.
** Changed in: shadow (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/890858
Title:
user names with commas
Status in “shadow” package in Ubuntu:
Won't Fix
Bug description:
I am using Ubuntu 10.04.3 LTS in a server production environment.
I have discovered that the useradd program accepts user names with commas, e.g. useradd "foo,bar".
This symbol is used so separate group members in /etc/group, so allowing it in a user name introduces unwanted behaviour and completely breaks group membership.
It gets worse.
Adding user "foo,bar" to the group "baz" will instead make users "foo" and "bar" members of "baz".
This seems like a serious security issue.
IMHO useradd and related utilities should never accept names with
symbols used in the internal data structure, unless character escaping
is implemented.
I do not know whether LDAP systems can be affected by this, or if it
is just local accounts.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/890858/+subscriptions
More information about the foundations-bugs
mailing list