diff options
author | Rob Landley <rob@landley.net> | 2014-09-26 18:49:44 -0500 |
---|---|---|
committer | Rob Landley <rob@landley.net> | 2014-09-26 18:49:44 -0500 |
commit | e0d8009d76b3a2451cb6c6ed2b241c7eff06ed60 (patch) | |
tree | f2904430b0cb86f7b7a2721ae2ddd60fcf727166 /toys | |
parent | e1fa787be8d0d66c9860c86dcb80fd6e096f74e0 (diff) | |
download | toybox-e0d8009d76b3a2451cb6c6ed2b241c7eff06ed60.tar.gz |
The only illegal characters in a username are ":" (field separator), "\n" (line separator), and "/" (filename separator).
Restricting usernames to the legacy posix character allowed set (for filenames,
so the $HOME directory is creatable on VFAT and similar) means you can't have
UTF-8 usernames. Linux allows any character but / and NUL in filenames.
Since root is creating these entries, we assume root knows what it's doing.
Diffstat (limited to 'toys')
-rw-r--r-- | toys/pending/groupadd.c | 9 | ||||
-rw-r--r-- | toys/pending/useradd.c | 4 |
2 files changed, 7 insertions, 6 deletions
diff --git a/toys/pending/groupadd.c b/toys/pending/groupadd.c index 04c31ee5..7df0a5c3 100644 --- a/toys/pending/groupadd.c +++ b/toys/pending/groupadd.c @@ -92,11 +92,12 @@ void groupadd_main(void) update_password(SECURE_GROUP_PATH, grp->gr_name, entry); free(entry); } else { //new group to be created + char *s = *toys.optargs; + /* investigate the group to be created */ - if ((grp = getgrnam(*toys.optargs))) - error_exit("group '%s' is in use", *toys.optargs); - setlocale(LC_ALL, "C"); - is_valid_username(*toys.optargs); + if (getgrnam(s)) error_exit("'%s' in use", s); + if (s[strcspn(s, ":/\n")] || strlen(s) > LOGIN_NAME_MAX) + error_exit("bad name"); new_group(); } } diff --git a/toys/pending/useradd.c b/toys/pending/useradd.c index 9f1fa4c5..4f2bcc61 100644 --- a/toys/pending/useradd.c +++ b/toys/pending/useradd.c @@ -54,8 +54,8 @@ void useradd_main(void) } // Sanity check user to add - if (strchr(s, ':') || strchr(s, '/') || strlen(s) > LOGIN_NAME_MAX) - error_exit("bad name"); + if (s[strcspn(s, ":/\n")] || strlen(s) > LOGIN_NAME_MAX) + error_exit("bad username"); // race condition: two adds at same time? if (getpwnam(s)) error_exit("'%s' in use", s); |