[Bug 221416] pw useradd accepts invalid user names

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Aug 11 11:42:44 UTC 2017


            Bug ID: 221416
           Summary: pw useradd accepts invalid user names
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch, regression
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: fk at fabiankeil.de
             Flags: mfc-stable10?, mfc-stable11?

Created attachment 185282
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=185282&action=edit
pw useradd: Validate the user name before creating the entry

When the -g option is used, pw useradd doesn't validate the user name.

A command like:
    pw useradd -u 1234 -g 1234 -n 'test user'
creates an invalid user.

The "-g 1234" is relevant, without it the name is rejected as expected:

    [fk at test ~]$ sudo pw useradd -u 1234 -n 'test user'
    pw: invalid character ` ' at position 4 in userid/group name

Bug unintentionally found with a salt config without explicit name entry:

    test user:
        - uid: 1234
        - gid: 1234
        - fullname: Test user
        - shell: /usr/local/bin/bash
        - home: /home/test
        - groups:
          - wheel
          - salt

"Luckily" salt modules rarely bother with input validation either ...

This regression was introduced when pw was refactored in 2015.

The attached patch fixes the issue and adds regression tests.

Obtained from: ElectroBSD

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list