On Sun, Feb 05, 2017 at 09:47:35PM -0800, Philip Guenther wrote: > On Sun, 5 Feb 2017, John McGuigan wrote: > > I've noticed something strange in adduser -- when attempting to add a > > user completely though command line argument it seems to corrupt the > > entry in /etc/master.passwd. > > > > Example: > > > > $ echo "HorseBatteryStaple" | encrypt > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2 > > > > # adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \ > > -message no -batch some.user "" "Some User" \ > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2 > > Added user ``some.user'' > ... > > some.user:b/bin/ksh9/9uoOrbTRaf//3ZprAb9k.hOpfe9vYVqjf1a:5000:5000:: \ > > 0:0:Some User:/home/some.user:/bin/ksh > > > > As you can see the password entry gets corrupted with a 'b/bin/ksh...' > > Let's see what the adduser command is seeing by passing that all to 'echo' > instead: > > # echo \ > > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \ > > -message no -batch some.user "" "Some User" \ > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2 > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh -message no > -batch some.user Some User b/bin/ksh9/FGXw.9oNjr3BLTS7DJp5n4M2 > # > > Ah, so the expansion is happening *outside* of adduser...in the shell. > Yes, the shell does variable expansion even if the dollar-sign is in the > middle of a word, so it's expanding the variables > $2 --> "" > $0 --> "/bin/ksh" > $ssZSLC6laHsTS7O2FwJ4Mufw6mSS --> "" > > > > Behavior *is* present when hash is wrapped in " > > Sure, because double-quotes only stop file-globbing and field splitting > and not variable expansion. You need single quotes for that: > > # echo \ > > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \ > > -message no -batch some.user "" "Some User" \ > > '$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2' > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh -message no > -batch some.user Some User > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2 > #
The adduser.8 manual page has an example with no quotes in it, so we should fix that. Also, let's use a new hash using $2b$ instead of $2a$. Index: adduser.8 =================================================================== RCS file: /var/cvs/src/usr.sbin/adduser/adduser.8,v retrieving revision 1.44 diff -u -p -r1.44 adduser.8 --- adduser.8 24 Dec 2015 16:54:37 -0000 1.44 +++ adduser.8 6 Feb 2017 05:49:00 -0000 @@ -373,7 +373,7 @@ The password has been created using .Xr encrypt 1 : .Bd -literal -offset indent # adduser -batch falken guest,staff,beer 'Prof. Falken' \e - $2a$06$1Sdjxjoxg4cNmT6zAxriGOLgdLXQ3HdJ2dKBbzEk68jSrO1EtLJ3C + '$2b$10$aOadQNznQ1YJFnqNaRRneOvYvZAEO7atYiTND3EsLf6afHT5t1UIK' .Ed .Pp Create user
