[Bug 1927078] Re: Don't allow useradd to use fully numeric names

Robie Basak 1927078 at bugs.launchpad.net
Wed Jul 21 14:51:50 UTC 2021 

Hello Victor, or anyone else affected,

Accepted shadow into hirsute-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu8.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
hirsute to verification-done-hirsute. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-hirsute. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: shadow (Ubuntu Hirsute)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-hirsute

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

Status in shadow package in Ubuntu:
  Fix Released
Status in shadow source package in Focal:
  In Progress
Status in shadow source package in Groovy:
  Won't Fix
Status in shadow source package in Hirsute:
  Fix Committed
Status in shadow source package in Impish:
  Fix Released

Bug description:
  [Impact]

   * If a fully numeric username is created, it will cause
     problems with systemd. One example is that the user with
     this type of name can log in, but loginctl will not create
     a session for them.
   * This can also cause users to be unable to log in to a gdm
     environment

  [Test Case]

   * `useradd 123` (this command should succeed)
   * `userdel 123` to clean up the user that was just added
   * Install `shadow` from -proposed
   * `useradd 123` should now fail

  [Regression Potential]
   * If there were a logic error in the fix, it is possible
     that valid usernames would now be disallowed.
   * Many test cases have been added to ensure this is not
     the case, and --badnames would still provide a work-around
   * [racb] Users may have scripts that are currently using numeric usernames and these scripts will break as a consequence of this deliberate change in stable Ubuntu releases. However, based on the discussion in the bug, we think this is preferable to leaving such users with unstable behaviour such as systemd's behaviour described.

  [Original Description]

  Fully numeric names support in Ubuntu is inconsistent in Focal onwards
  because systemd does not like them[1] but are still allowed by default
  by useradd, leaving the session behavior in hands of the running
  applications. Two examples:

  1. After creating a user named "0", the user can log in via ssh or
  console but loginctl won't create a session for it:

  root at focal:/home/ubuntu# useradd -m 0
  root at focal:/home/ubuntu# id 0
  uid=1005(0) gid=1005(0) groups=1005(0)

  ..

  0 at 192.168.122.6's password:
  Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

  Last login: Thu Apr  8 16:17:06 2021 from 192.168.122.1
  $ loginctl
  No sessions.
  $ w
   16:20:09 up 4 min,  1 user,  load average: 0.03, 0.14, 0.08
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  0        pts/0    192.168.122.1    16:17    0.00s  0.00s  0.00s w

  And pam-systemd shows the following message:

  Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for user 0 by (uid=0)
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd initializing
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get user record: Invalid argument

  2. With that same username, every successful authentication in gdm
  will loop back to gdm again instead of starting gnome, making the user
  unable to login.

  Making useradd fail (unless --badnames is set) when a fully numeric
  name is used will make the default OS behavior consistent.

  [Other info]

  - Upstream does not support fully numeric usernames
  - useradd has a --badnames parameter that would still allow the use of these type of names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

More information about the foundations-bugs mailing list