shadow: use relaxed usernames

The groupadd from shadow does not allow upper case group names, the
same is true for the upstream shadow. But distributions like
Debian/Ubuntu/CentOS has their own way to cope with this problem,
this patch is picked up from Fedora [1] to relax the usernames
restrictions to allow the upper case group names, and the relaxation is
POSIX compliant because POSIX indicate that usernames are composed of
characters from the portable filename character set [A-Za-z0-9._-].

[1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch

Signed-off-by: Alexander Kanavin <alex@linutronix.de>

diff --git a/libmisc/chkname.c b/libmisc/chkname.c
index cb002a1483289df2a0d5377615c4c4b881d0df55..e31ee8c9471e4aec3818119c5578475e25e5073c 100644 (file)
--- a/libmisc/chkname.c
+++ b/libmisc/chkname.c
@@ -32,26 +32,44 @@ static bool is_valid_name (const char *name)
        }
 
        /*
-        * User/group names must match [a-z_][a-z0-9_-]*[$]
-        */
+         * User/group names must match gnu e-regex:
+         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+         *
+         * as a non-POSIX, extension, allow "$" as the last char for
+         * sake of Samba 3.x "add machine script"
+         *
+         * Also do not allow fully numeric names or just "." or "..".
+         */
+       int numeric;
 
-       if (('\0' == *name) ||
-           !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+       if ('\0' == *name ||
+           ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+                             '\0' == name[1])) ||
+           !((*name >= 'a' && *name <= 'z') ||
+             (*name >= 'A' && *name <= 'Z') ||
+             (*name >= '0' && *name <= '9') ||
+             *name == '_' ||
+             *name == '.')) {
                return false;
        }
 
+       numeric = isdigit(*name);
+
        while ('\0' != *++name) {
-               if (!(( ('a' <= *name) && ('z' >= *name) ) ||
-                     ( ('0' <= *name) && ('9' >= *name) ) ||
-                     ('_' == *name) ||
-                     ('-' == *name) ||
-                     ( ('$' == *name) && ('\0' == *(name + 1)) )
+               if (!((*name >= 'a' && *name <= 'z') ||
+                     (*name >= 'A' && *name <= 'Z') ||
+                     (*name >= '0' && *name <= '9') ||
+                     *name == '_' ||
+                     *name == '.' ||
+                     *name == '-' ||
+                     (*name == '$' && name[1] == '\0')
                     )) {
                        return false;
                }
+               numeric &= isdigit(*name);
        }
 
-       return true;
+       return !numeric;
 }
 
 bool is_valid_user_name (const char *name)

diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
index 26671f92deb528c452c1c887757513019cc954b5..61a548f7e5ff62119589abfae5f6b78c1ccadebe 100644 (file)
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
@@ -64,10 +64,12 @@
       files as needed.
     </para>
      <para>
-       Groupnames must start with a lower case letter or an underscore,
-       followed by lower case letters, digits, underscores, or dashes.
-       They can end with a dollar sign.
-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+       Groupnames may contain only lower and upper case letters, digits,
+       underscores, or dashes. They can end with a dollar sign.
+
+       Dashes are not allowed at the beginning of the groupname.
+       Fully numeric groupnames and groupnames . or .. are
+       also disallowed.
      </para>
      <para>
        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.

diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index af02a23f89e1d392cc3e40572ec9793ef664656a..9eb80bbb93a5ace1af7d6f9cbd751cc59834812e 100644 (file)
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -692,10 +692,14 @@
     </para>
 
     <para>
-      Usernames must start with a lower case letter or an underscore,
-      followed by lower case letters, digits, underscores, or dashes.
-      They can end with a dollar sign.
-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+      Usernames may contain only lower and upper case letters, digits,
+      underscores, or dashes. They can end with a dollar sign.
+
+      Dashes are not allowed at the beginning of the username.
+      Fully numeric usernames and usernames . or .. are
+      also disallowed. It is not recommended to use usernames beginning
+      with . character as their home directories will be hidden in
+      the <command>ls</command> output.
     </para>
     <para>
       Usernames may only be up to 32 characters long.