Input validation in useradd
Created by: xTibor
usedadd
doesn't seem to validate its input arguments. Usernames containing newlines and semicolons can corrupt the group
and passwd
files.
Example:
user:~# sudo useradd "aaa
bbb
ccc"
user:~# cat /etc/group
root;0;root
user;1000;user
sudo;1;user
aaa
bbb
ccc;1001;aaa
bbb
ccc
user:~# cat /etc/passwd
root;$argon2i$m=4096,t=10,p=1$Tnc4UVV0N00$ML9LIOujd3nmAfkAwEcSTMPqakWUF0OUiLWrIy0nGLk;0;0;root;file:/root;file:/bin/ion
user;;1000;1000;user;file:/home/user;file:/bin/ion
aaa
bbb
ccc;!;1001;1001;aaa
bbb
ccc;/;file:/bin/ion