From 08e5e0a148b548a3eb2f5ba7acfd6ab406533268 Mon Sep 17 00:00:00 2001 From: Chris Hofstaedtler Date: Sun, 21 Jul 2024 21:02:52 +0200 Subject: [PATCH] Forbid backslashes in user/group-names They can still be used with --force-badname, but it's a start. In the long run I want to remove our relax patch, and upstream should fix the line continuation too. For #1076619. Gbp-Dch: full --- .../Relax-usernames-groupnames-checking.patch | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/patches/debian/Relax-usernames-groupnames-checking.patch b/debian/patches/debian/Relax-usernames-groupnames-checking.patch index 6eb58cfd..af174df2 100644 --- a/debian/patches/debian/Relax-usernames-groupnames-checking.patch +++ b/debian/patches/debian/Relax-usernames-groupnames-checking.patch @@ -2,10 +2,10 @@ From: Shadow package maintainers Date: Sat, 22 Jun 2024 17:39:41 +0200 Subject: Relax usernames/groupnames checking -Allows any non-empty user/grounames that don't contain ':', ',' or '\n' -characters and don't start with '-', '+', or '~'. This patch is more -restrictive than original Karl's version. closes: #264879 -Also closes: #377844 +Allows any non-empty user/grounames that don't contain ':', ',', '\\' or +'\n' characters and don't start with '-', '+', or '~'. This patch is +more restrictive than original Karl's version. closes: #264879 Also +closes: #377844 Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): @@ -22,7 +22,7 @@ Status wrt upstream: Debian specific. Not to be used upstream 3 files changed, 29 insertions(+), 32 deletions(-) diff --git a/lib/chkname.c b/lib/chkname.c -index 995562f..d9678c6 100644 +index 995562f..9954410 100644 --- a/lib/chkname.c +++ b/lib/chkname.c @@ -54,44 +54,27 @@ static bool is_valid_name (const char *name) @@ -51,7 +51,7 @@ index 995562f..d9678c6 100644 + * portable filename character set [A-Za-z0-9._-], and that the hyphen + * should not be used as the first character of a portable user name. + * -+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$ ++ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\\\s][^:,\\\s]*$ + */ + if ( ('\0' == *name) + || ('-' == *name) @@ -72,7 +72,7 @@ index 995562f..d9678c6 100644 - (*name == '$' && name[1] == '\0') - )) { + do { -+ if ((':' == *name) || (',' == *name) || isspace(*name)) { ++ if ((':' == *name) || (',' == *name) || ('\\' == *name) || isspace(*name)) { return false; } - numeric &= isdigit(*name);