userutils issueshttps://gitlab.redox-os.org/redox-os/userutils/-/issues2021-01-01T01:34:45Zhttps://gitlab.redox-os.org/redox-os/userutils/-/issues/37Move AllGroupsExt into redox_users and Prevent Unintended Behavior2021-01-01T01:34:45ZSamwiseFilmoremggmugginsmc@gmail.comMove AllGroupsExt into redox_users and Prevent Unintended BehaviorI think the functionality that's provided by `AllGroupsExt` is valuable enough that it could possibly be used by other users of redox_users. It should probably be moved out of this crate and into that one.
@omac777 Brought up a couple o...I think the functionality that's provided by `AllGroupsExt` is valuable enough that it could possibly be used by other users of redox_users. It should probably be moved out of this crate and into that one.
@omac777 Brought up a couple of good points:
> - for atomicity's sake, all groups should exist before you add the user to the existing groups
> - ensure when adding user to a group, the user should not [be in the group] beforehand. [If] the user already exists, return an error condition useralreadyexists of some sort and recover gracefully continuing to add the user to other groups.
>
> There's a chance without doing the above that you will be adding the user to some groups, but the non-existing group will fail the operation and the user might not get added to the remaining existing groups.
>
> There's a chance that you might double-add a user to a group the way things are read.
For all the situations in this crate, error conditions are always fatal. However, if/when these functions get moved, they should be improved in these ways to prevent these situations from happening, since one of these returning an error condition doesn't necessarily prevent a `save` being called.SamwiseFilmoremggmugginsmc@gmail.comSamwiseFilmoremggmugginsmc@gmail.comhttps://gitlab.redox-os.org/redox-os/userutils/-/issues/38Unexpected error when deleting user2023-11-26T11:16:39ZCuriouscurious@curious.hostUnexpected error when deleting userAs shown in the screenshot, `userdel -r` can't delete the homedir which is not empty, hence the user delete will fail.
And we can't create a user with same name of the deleted one, because the group is not deleted together.
![image.png...As shown in the screenshot, `userdel -r` can't delete the homedir which is not empty, hence the user delete will fail.
And we can't create a user with same name of the deleted one, because the group is not deleted together.
![image.png](/uploads/83629d44f367fc986b6fb4be49856791/image.png)https://gitlab.redox-os.org/redox-os/userutils/-/issues/36Backspaces handled incorrectly in the login password prompt2018-10-29T14:34:44ZNagy Tiborxnagytibor@gmail.comBackspaces handled incorrectly in the login password promptPressing backspace in the login password prompt only seems to remove the last byte of the password, not the last typed UTF-8 character. When that character is a multi-byte UTF-8 character this could result in a `incomplete utf-8 byte seq...Pressing backspace in the login password prompt only seems to remove the last byte of the password, not the last typed UTF-8 character. When that character is a multi-byte UTF-8 character this could result in a `incomplete utf-8 byte sequence from index 0` error.
**Reproduction:**
`redox login:` <kbd>r</kbd> <kbd>o</kbd> <kbd>o</kbd> <kbd>t</kbd> <kbd>Enter</kbd>
`password:` <kbd>[ű](http://unicode.org/cldr/utility/character.jsp?a=0171)</kbd> <kbd>Backspace</kbd> <kbd>Enter</kbd>
I could only reproducible it from an external terminal (Konsole).https://gitlab.redox-os.org/redox-os/userutils/-/issues/31Sudo2023-10-08T10:19:23ZSamwiseFilmoremggmugginsmc@gmail.comSudoA few things I thought I should document in an issue:
~~Wondering if I should remove arg parsing from `login` completely, since there is only `--help`, and it only prints the man page right now. Would simplify that significantly.~~
I'm...A few things I thought I should document in an issue:
~~Wondering if I should remove arg parsing from `login` completely, since there is only `--help`, and it only prints the man page right now. Would simplify that significantly.~~
I'm also thinking about dropping `sudo` from this crate, for a few reasons:
- `sudo` is a bigger program than many think, and implementing sudo correctly takes a lot of effort. You need to have the configuration file, and some command line options, probably sudoedit, etc.
- For packaging reasons: many os's package sudo separately from other utilities or coreutils.
rudo might be an alternative, although it's PAM based so we'd either need to impl PAM for redox or port PAM, neither of which I'd be thrilled about doing, or building a different backend into rudo for redox_users. @shawnanastasio I guess I should mention you on this one since rudo is your program...https://gitlab.redox-os.org/redox-os/userutils/-/issues/35Input validation in useradd2021-11-02T17:15:06ZJeremy SollerInput validation in useradd*Created by: xTibor*
`usedadd` doesn't seem to validate its input arguments. Usernames containing newlines and semicolons can corrupt the `group` and `passwd` files.
**Example:**
```
user:~# sudo useradd "aaa
bbb
ccc"
``...*Created by: xTibor*
`usedadd` doesn't seem to validate its input arguments. Usernames containing newlines and semicolons can corrupt the `group` and `passwd` files.
**Example:**
```
user:~# sudo useradd "aaa
bbb
ccc"
```
```
user:~# cat /etc/group
root;0;root
user;1000;user
sudo;1;user
aaa
bbb
ccc;1001;aaa
bbb
ccc
```
```
user:~# cat /etc/passwd
root;$argon2i$m=4096,t=10,p=1$Tnc4UVV0N00$ML9LIOujd3nmAfkAwEcSTMPqakWUF0OUiLWrIy0nGLk;0;0;root;file:/root;file:/bin/ion
user;;1000;1000;user;file:/home/user;file:/bin/ion
aaa
bbb
ccc;!;1001;1001;aaa
bbb
ccc;/;file:/bin/ion
```https://gitlab.redox-os.org/redox-os/userutils/-/issues/34User enumeration at login2018-06-13T19:39:51ZJeremy SollerUser enumeration at login*Created by: xTibor*
The `login` program is vulnerable to user enumeration. It only asks for a password and does a timeout when the specified user account exists, thus allowing malicious actors to brute force the possible users at a rat...*Created by: xTibor*
The `login` program is vulnerable to user enumeration. It only asks for a password and does a timeout when the specified user account exists, thus allowing malicious actors to brute force the possible users at a rate of hundreds of usernames per second. (when login asks for a password = valid user on the system).
**Demo:**
https://www.youtube.com/watch?v=7XfipgWmpxM
**Possible fix:**
Ask for a password and do a timeout even the specified user doesn't exist.https://gitlab.redox-os.org/redox-os/userutils/-/issues/18Compile issues with Cargo and getty2018-06-13T19:39:51ZSamwiseFilmoremggmugginsmc@gmail.comCompile issues with Cargo and gettyI get a lot of mismatched type errors with `getty` when I compile the repo with `cargo build`. When userutils is built as a part of cookbook, then it builds and deploys fine. All the errors are either "expected usize, found i32" or "expe...I get a lot of mismatched type errors with `getty` when I compile the repo with `cargo build`. When userutils is built as a part of cookbook, then it builds and deploys fine. All the errors are either "expected usize, found i32" or "expected i32, found usize". Any thoughts/ideas?