aboutsummaryrefslogtreecommitdiff
path: root/toys/pending
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2014-09-26 18:49:44 -0500
committerRob Landley <rob@landley.net>2014-09-26 18:49:44 -0500
commite0d8009d76b3a2451cb6c6ed2b241c7eff06ed60 (patch)
treef2904430b0cb86f7b7a2721ae2ddd60fcf727166 /toys/pending
parente1fa787be8d0d66c9860c86dcb80fd6e096f74e0 (diff)
downloadtoybox-e0d8009d76b3a2451cb6c6ed2b241c7eff06ed60.tar.gz
The only illegal characters in a username are ":" (field separator), "\n" (line separator), and "/" (filename separator).
Restricting usernames to the legacy posix character allowed set (for filenames, so the $HOME directory is creatable on VFAT and similar) means you can't have UTF-8 usernames. Linux allows any character but / and NUL in filenames. Since root is creating these entries, we assume root knows what it's doing.
Diffstat (limited to 'toys/pending')
-rw-r--r--toys/pending/groupadd.c9
-rw-r--r--toys/pending/useradd.c4
2 files changed, 7 insertions, 6 deletions
diff --git a/toys/pending/groupadd.c b/toys/pending/groupadd.c
index 04c31ee5..7df0a5c3 100644
--- a/toys/pending/groupadd.c
+++ b/toys/pending/groupadd.c
@@ -92,11 +92,12 @@ void groupadd_main(void)
update_password(SECURE_GROUP_PATH, grp->gr_name, entry);
free(entry);
} else { //new group to be created
+ char *s = *toys.optargs;
+
/* investigate the group to be created */
- if ((grp = getgrnam(*toys.optargs)))
- error_exit("group '%s' is in use", *toys.optargs);
- setlocale(LC_ALL, "C");
- is_valid_username(*toys.optargs);
+ if (getgrnam(s)) error_exit("'%s' in use", s);
+ if (s[strcspn(s, ":/\n")] || strlen(s) > LOGIN_NAME_MAX)
+ error_exit("bad name");
new_group();
}
}
diff --git a/toys/pending/useradd.c b/toys/pending/useradd.c
index 9f1fa4c5..4f2bcc61 100644
--- a/toys/pending/useradd.c
+++ b/toys/pending/useradd.c
@@ -54,8 +54,8 @@ void useradd_main(void)
}
// Sanity check user to add
- if (strchr(s, ':') || strchr(s, '/') || strlen(s) > LOGIN_NAME_MAX)
- error_exit("bad name");
+ if (s[strcspn(s, ":/\n")] || strlen(s) > LOGIN_NAME_MAX)
+ error_exit("bad username");
// race condition: two adds at same time?
if (getpwnam(s)) error_exit("'%s' in use", s);