diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-04-04 12:23:02 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-04-08 17:11:20 +0200 |
| commit | 7a8867abfab10e5bbca10590ec2aa40c5b27d8fb (patch) | |
| tree | b36865fc95cfecd9d68ed65faa74c5c409006302 /src/home/homectl.c | |
| parent | userdbctl: drop redundant user name validity check (diff) | |
| download | systemd-7a8867abfab10e5bbca10590ec2aa40c5b27d8fb.tar.xz systemd-7a8867abfab10e5bbca10590ec2aa40c5b27d8fb.zip | |
user-util: rework how we validate user names
This reworks the user validation infrastructure. There are now two
modes. In regular mode we are strict and test against a strict set of
valid chars. And in "relaxed" mode we just filter out some really
obvious, dangerous stuff. i.e. strict is whitelisting what is OK, but
"relaxed" is blacklisting what is really not OK.
The idea is that we use strict mode whenver we allocate a new user
(i.e. in sysusers.d or homed), while "relaxed" mode is when we process
users registered elsewhere, (i.e. userdb, logind, …)
The requirements on user name validity vary wildly. SSSD thinks its fine
to embedd "@" for example, while the suggested NAME_REGEX field on
Debian does not even allow uppercase chars…
This effectively liberaralizes a lot what we expect from usernames.
The code that warns about questionnable user names is now optional and
only used at places such as unit file parsing, so that it doesn't show
up on every userdb query, but only when processing configuration files
that know better.
Fixes: #15149 #15090
Diffstat (limited to 'src/home/homectl.c')
| -rw-r--r-- | src/home/homectl.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/home/homectl.c b/src/home/homectl.c index 1ccc053d3f..66d4bb6bd6 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -540,7 +540,7 @@ static int inspect_home(int argc, char *argv[], void *userdata) { r = parse_uid(*i, &uid); if (r < 0) { - if (!valid_user_group_name(*i)) { + if (!valid_user_group_name(*i, 0)) { log_error("Invalid user name '%s'.", *i); if (ret == 0) ret = -EINVAL; @@ -1395,7 +1395,7 @@ static int create_home(int argc, char *argv[], void *userdata) { if (argc >= 2) { /* If a username was specified, use it */ - if (valid_user_group_name(argv[1])) + if (valid_user_group_name(argv[1], 0)) r = json_variant_set_field_string(&arg_identity_extra, "userName", argv[1]); else { _cleanup_free_ char *un = NULL, *rr = NULL; @@ -3357,7 +3357,7 @@ static int parse_argv(int argc, char *argv[]) { if (r == 0) break; - if (!valid_user_group_name(word)) + if (!valid_user_group_name(word, 0)) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid group name %s.", word); mo = json_variant_ref(json_variant_by_key(arg_identity_extra, "memberOf")); |