On Sun, 5 Feb 2017, John McGuigan wrote:
> I've noticed something strange in adduser -- when attempting to add a
> user completely though command line argument it seems to corrupt the
> entry in /etc/master.passwd.
>
> Example:
>
> $ echo "HorseBatteryStaple" | encrypt
> $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
>
> # adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> -message no -batch some.user "" "Some User" \
> $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> Added user ``some.user''
...
> some.user:b/bin/ksh9/9uoOrbTRaf//3ZprAb9k.hOpfe9vYVqjf1a:5000:5000:: \
> 0:0:Some User:/home/some.user:/bin/ksh
>
> As you can see the password entry gets corrupted with a 'b/bin/ksh...'
Let's see what the adduser command is seeing by passing that all to 'echo'
instead:
# echo \
> adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> -message no -batch some.user "" "Some User" \
> $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh -message no
-batch some.user Some User b/bin/ksh9/FGXw.9oNjr3BLTS7DJp5n4M2
#
Ah, so the expansion is happening *outside* of adduser...in the shell.
Yes, the shell does variable expansion even if the dollar-sign is in the
middle of a word, so it's expanding the variables
$2 --> ""
$0 --> "/bin/ksh"
$ssZSLC6laHsTS7O2FwJ4Mufw6mSS --> ""
> Behavior *is* present when hash is wrapped in "
Sure, because double-quotes only stop file-globbing and field splitting
and not variable expansion. You need single quotes for that:
# echo \
> adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> -message no -batch some.user "" "Some User" \
> '$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2'
adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh -message no
-batch some.user Some User
$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
#
Philip Guenther
