The only illegal characters in a username are ":" (field separator), "\n" (line separator), and "/" (filename separator).

Restricting usernames to the legacy posix character allowed set (for filenames,
so the $HOME directory is creatable on VFAT and similar) means you can't have
UTF-8 usernames. Linux allows any character but / and NUL in filenames.
Since root is creating these entries, we assume root knows what it's doing.

2 files changed, 7 insertions, 6 deletions

diff --git a/toys/pending/groupadd.c b/toys/pending/groupadd.c
index 04c31ee5..7df0a5c3 100644
--- a/toys/pending/groupadd.c
+++ b/toys/pending/groupadd.c
@@ -92,11 +92,12 @@ void groupadd_main(void)
     update_password(SECURE_GROUP_PATH, grp->gr_name, entry);
     free(entry);
   } else {    //new group to be created
+    char *s = *toys.optargs;
+
     /* investigate the group to be created */
-    if ((grp = getgrnam(*toys.optargs))) 
-      error_exit("group '%s' is in use", *toys.optargs);
-    setlocale(LC_ALL, "C");
-    is_valid_username(*toys.optargs);
+    if (getgrnam(s)) error_exit("'%s' in use", s);
+    if (s[strcspn(s, ":/\n")] || strlen(s) > LOGIN_NAME_MAX)
+      error_exit("bad name");
     new_group();
   }
 }
diff --git a/toys/pending/useradd.c b/toys/pending/useradd.c
index 9f1fa4c5..4f2bcc61 100644
--- a/toys/pending/useradd.c
+++ b/toys/pending/useradd.c
@@ -54,8 +54,8 @@ void useradd_main(void)
   }
 
   // Sanity check user to add
-  if (strchr(s, ':') || strchr(s, '/') || strlen(s) > LOGIN_NAME_MAX)
-    error_exit("bad name");
+  if (s[strcspn(s, ":/\n")] || strlen(s) > LOGIN_NAME_MAX)
+    error_exit("bad username");
   // race condition: two adds at same time?
   if (getpwnam(s)) error_exit("'%s' in use", s);