From owner-freebsd-bugs@freebsd.org  Fri Aug 11 11:42:44 2017
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B25FDC876B
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Fri, 11 Aug 2017 11:42:44 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 693566E685
 for <freebsd-bugs@FreeBSD.org>; Fri, 11 Aug 2017 11:42:44 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v7BBgisG019693
 for <freebsd-bugs@FreeBSD.org>; Fri, 11 Aug 2017 11:42:44 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 221416] pw useradd accepts invalid user names
Date: Fri, 11 Aug 2017 11:42:44 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: patch, regression
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: fk@fabiankeil.de
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: mfc-stable10? mfc-stable11?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status keywords bug_severity priority component assigned_to
 reporter flagtypes.name attachments.created
Message-ID: <bug-221416-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 11:42:44 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221416

            Bug ID: 221416
           Summary: pw useradd accepts invalid user names
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch, regression
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: fk@fabiankeil.de
             Flags: mfc-stable10?, mfc-stable11?

Created attachment 185282
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D185282&action=
=3Dedit
pw useradd: Validate the user name before creating the entry

When the -g option is used, pw useradd doesn't validate the user name.

A command like:
    pw useradd -u 1234 -g 1234 -n 'test user'
creates an invalid user.

The "-g 1234" is relevant, without it the name is rejected as expected:

    [fk@test ~]$ sudo pw useradd -u 1234 -n 'test user'
    pw: invalid character ` ' at position 4 in userid/group name

Bug unintentionally found with a salt config without explicit name entry:

    test user:
      user.present:
        - uid: 1234
        - gid: 1234
        - fullname: Test user
        - shell: /usr/local/bin/bash
        - home: /home/test
        - groups:
          - wheel
          - salt

"Luckily" salt modules rarely bother with input validation either ...

This regression was introduced when pw was refactored in 2015.

The attached patch fixes the issue and adds regression tests.

Obtained from: ElectroBSD

--=20
You are receiving this mail because:
You are the assignee for the bug.=