[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1101196: installation-reports: Trixie Installer fails to create first user when full name contains non-ASCII characters and spaces



On Wed, Mar 26, 2025 at 08:54:09PM +0100, Pascal Hambourg wrote:
On 24/03/2025 at 20:29, Cyril Brulebois wrote:

Oh wow, that's indeed badly broken, and will need fixing before the next
release. Reproduced locally with a 'û' in my last name:

    Mar 24 19:17:59 finish-install: info: Running /usr/lib/finish-install.d/06user-setup
    Mar 24 19:17:59 user-setup: Shadow passwords are now on.
    Mar 24 20:17:59 chpasswd[8387]: pam_unix(chpasswd:chauthtok): password changed for root
    Mar 24 19:17:59 user-setup: invalid characters in Cyril Br\x{fffd}\x{fffd}lebois at /usr/share/perl5/Debian/AdduserCommon.pm line 141.
(...)
No feedback during the installation process, just silent failure to
create the user. :(

Looping in adduser people for awareness and maybe tips. A quick look at
adduser.git suggests sanitation got added end 2024/beginning 2025…

If adduser exists in the target system then user-setup runs

 adduser --disabled-password --gecos "$fullname" "$user" || true

else it runs

 useradd -c "$fullname" -m "$user" || true

What is the advantage of calling adduser instead of useradd ?

Adduser is the Debian way of adding users. useradd has grown additional capabilities in the three decades since adduser was invented, so the difference is not so big any more.

IIUC adduser's new sanitation regex for the 'comment' (ex-gecos) value) is defined by:

 commentre => qr/["-_\.+!\$%&()\]\[;0-9a-zA-Z\/ ]*/

It looks like only ASCII characters are allowed. Oddly, adduser allows non ASCII characters in interactive mode. useradd does not seem to have such restriction for -c.

In interactive mode, it just calls chfn an lets it do the work.

I am open to changing that regexp in adduser. Probably I haven't been giving appropriate thought about that when introducing the code to adduser that allows it to run in perl's taint mode. Adduser's test suite should probably test for weird characters in the comment field as well.

Possible options may include:
- align adduser's comment sanitation regex on useradd

Yes. That would be the way to go. I am open for suggestions. We should probably allow the complete UTF-8 range (short of control characters) here.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421


Reply to: