search

PikaOS-Linux / pkg-pika-first-setup

Mozilla Public License 2.0
0 stars 2 forks source link

Incorrect username validation #8

Open ferrreo opened 5 days ago

ferrreo commented 5 days ago

Here we are checking for only alphanumeric: https://github.com/PikaOS-Linux/pkg-pika-first-setup/blob/c6b9d3743223bdc0611bdf0c80dc3ea902742cc7/src/first_setup/user_carousel/mod.rs#L232C12-L232C29

This needs to instead use the regexes of NAME_REGEX and SYS_NAME_REGEX to check against as this is what adduser does.

CosmicFusion commented 4 days ago

Default regex

Allows !"#$%&'()*+,-./ many scripts don't account for that

It may have some unforseen consequences

I think having strictly lower case alphanumeric usernames, and leaving the Fancy Stuff to gecos fullname

I may be wrong if I am I will happily implement it

CosmicFusion commented 4 days ago

So as far as I can see online

All ignore The name regex

As they are apparently really volatile, and cause and Unprofessionally written scripts to break

ferrreo commented 4 days ago

Default regex

Allows !"#$%&'()*+,-./ many scripts don't account for that

It may have some unforseen consequences

I think having strictly lower case alphanumeric usernames, and leaving the Fancy Stuff to gecos fullname

I may be wrong if I am I will happily implement it

This is wrong. Those regexes only allow -_. and alphanumeric (also can't start with a .). If they are allowing any more then our config to set those regexes are incorrect and none standard.

We should be allowing whatever adduser allows, it has all the protections in place already, that's why it has a --allow-bad-names flag to override if you need (we do not need).

ferrreo commented 4 days ago

So as far as I can see online

  • vanilla-installer
  • calamares
  • cinnamon settings
  • gnome settings
  • plasma settings
  • ubiquity

All ignore The name regex

As they are apparently really volatile, and cause and Unprofessionally written scripts to break

Not correct, they all seem to be allowing - _ and . except calamares (not tried vanilla)? So they are either using the regexes or implemented their own version of the default check.

CosmicFusion commented 4 days ago

So as far as I can see online

  • vanilla-installer
  • calamares
  • cinnamon settings
  • gnome settings
  • plasma settings
  • ubiquity

All ignore The name regex

As they are apparently really volatile, and cause and Unprofessionally written scripts to break

Not correct, they all seem to be allowing - _ and . except calamares (not tried vanilla)? So they are either using the regexes or implemented their own version of the default check.

Ok... I will switch the regex

erenfro commented 2 days ago

Thank you very much for looking into this! I wanted to point out, "VALID NAMES" section of man 5 adduser.conf shows basically that usernames must start with a lowercase alpha character (system users can start with underscore additionally), be all lower-case, and can include digits, dash, and underscore, in current spec. Historically it could also include periods, @ signs, and end in $ specifically due to samba machine accounts.