[PATCH] bug #10981: adduser -D behavior
Tito
farmatito at tiscali.it
Wed Feb 12 13:39:08 UTC 2020
On 2/11/20 3:36 PM, Eli Schwartz wrote:
> On 2/11/20 8:13 AM, Donovan Keohane wrote:
>> In adduser in coreutils, the behavior of --disabled-password sets the
>> users hash in /etc/shadow to a single asterisk. It looks like busybox
>> adduser '-D' option is supposed to be analogous to the behavior of
>> coreutils '--disabled-password'.
Hi,
bb's adduser was implemented and modified to mimic the behavior
that at the time debian's adduser showed for the simple reason
that at least for me using debian it was easier to test it that way.
For more info on debian's adduser see the attached man page.
This is also the reason that some defaults chosen are very
debianish but also sane and fit most of the use cases.
Command line options allow to manage corner cases and
other desired behaviors.
The -D option is more or less a synthesis of this two adduser options
(can't say if they existed both in the past):
--disabled-login
Do not run passwd to set the password. The user won't be able to use her account until the password is set.
--disabled-password
Like --disabled-login, but logins are still possible (for example using SSH RSA keys) but not using password authentication.
and it was first introduced with commit:
https://git.busybox.net/busybox/commit/loginutils/adduser.c?id=f0f754aeaf47b416abba8206dd2632cf24bb94a3 in 2003
The default passwd was static const char default_passwd[] = "x" for /etc/passwd
and fprintf(shadow, "%s:!:%ld:%ld:%ld:%ld:::\n" in /etc/shadow if shadow password support
was enabled.
At that time size did matter and If I recall correctly bb didn't
support long options yet but debian's adduser only had long options
therefore the options were chosen arbitrarily by the developers and stayed
like that for the last 17 years.
Hope this helps.
Ciao,
Tito
>
> There is no coreutils "adduser" utility. util-linux does provide a
> "useradd" utility, but it does not have any --disabled-password option.
> On my Arch Linux system I cannot find any package which provides an
> "adduser" utility at all, except for busybox which provides some
> nonstandard applet in its multi-call binary, something the usual
> repository search tool cannot pick up.
>
> I would have expected busybox adduser -D (why does this exist in a form
> so different from the useradd command? At least it doesn't share the
> same name, that would be confusing... then again I guess that is why the
> unusual name) to do exactly what it I guess does, that is to say, it
> disables the feature of automatically prompting for a password, which
> means you will need to manually "passwd"/"chpasswd" in order to login.
> This emulates the default behavior of util-linux useradd, which creates
> an account with a disabled password, and expects you to passwd and
> change it.
>
> Is there a problem with this behavior?
-------------- next part --------------
ADDUSER(8) System Manager's Manual ADDUSER(8)
NAME
adduser, addgroup - add a user or group to the system
SYNOPSIS
adduser [options] [--home DIR] [--shell SHELL] [--no-create-home] [--uid ID] [--firstuid ID] [--lastuid ID] [--ingroup GROUP | --gid ID] [--disabled-password] [--disabled-login] [--gecos GECOS] [--add_extra_groups] user
adduser --system [options] [--home DIR] [--shell SHELL] [--no-create-home] [--uid ID] [--group | --ingroup GROUP | --gid ID] [--disabled-password] [--disabled-login] [--gecos GECOS] user
addgroup [options] [--gid ID] group
addgroup --system [options] [--gid ID] group
adduser [options] user group
COMMON OPTIONS
[--quiet] [--debug] [--force-badname] [--help|-h] [--version] [--conf FILE]
DESCRIPTION
adduser and addgroup add users and groups to the system according to command line options and configuration information in /etc/adduser.conf. They are friendlier front ends to the low level tools like useradd, groupadd and
usermod programs, by default choosing Debian policy conformant UID and GID values, creating a home directory with skeletal configuration, running a custom script, and other features. adduser and addgroup can be run in one
of five modes:
Add a normal user
If called with one non-option argument and without the --system or --group options, adduser will add a normal user.
adduser will choose the first available UID from the range specified for normal users in the configuration file. The UID can be overridden with the --uid option.
The range specified in the configuration file may be overridden with the --firstuid and --lastuid options.
By default, each user in Debian GNU/Linux is given a corresponding group with the same name. Usergroups allow group writable directories to be easily maintained by placing the appropriate users in the new group, setting the
set-group-ID bit in the directory, and ensuring that all users use a umask of 002. If this option is turned off by setting USERGROUPS to no, all users' GIDs are set to USERS_GID. Users' primary groups can also be overrid‐
den from the command line with the --gid or --ingroup options to set the group by id or name, respectively. Also, users can be added to one or more groups defined in adduser.conf either by setting ADD_EXTRA_GROUPS to 1 in
adduser.conf, or by passing --add_extra_groups on the commandline.
adduser will create a home directory subject to DHOME, GROUPHOMES, and LETTERHOMES. The home directory can be overridden from the command line with the --home option, and the shell with the --shell option. The home direc‐
tory's set-group-ID bit is set if USERGROUPS is yes so that any files created in the user's home directory will have the correct group.
adduser will copy files from SKEL into the home directory and prompt for finger (gecos) information and a password. The gecos may also be set with the --gecos option. With the --disabled-login option, the account will be
created but will be disabled until a password is set. The --disabled-password option will not set a password, but login is still possible (for example with SSH RSA keys).
If the file /usr/local/sbin/adduser.local exists, it will be executed after the user account has been set up in order to do any local setup. The arguments passed to adduser.local are:
username uid gid home-directory
The environment variable VERBOSE is set according to the following rule:
0 if --quiet is specified
1 if neither
--quiet nor --debug is specified
2 if --debug is specified
(The same applies to the variable DEBUG, but DEBUG is deprecated and will be removed in a later version of adduser.)
Add a system user
If called with one non-option argument and the --system option, adduser will add a system user. If a user with the same name already exists in the system uid range (or, if the uid is specified, if a user with that uid al‐
ready exists), adduser will exit with a warning. This warning can be suppressed by adding --quiet.
adduser will choose the first available UID from the range specified for system users in the configuration file (FIRST_SYSTEM_UID and LAST_SYSTEM_UID). If you want to have a specific UID, you can specify it using the --uid
option.
By default, system users are placed in the nogroup group. To place the new system user in an already existing group, use the --gid or --ingroup options. To place the new system user in a new group with the same ID, use the
--group option.
A home directory is created by the same rules as for normal users. The new system user will have the shell /usr/sbin/nologin (unless overridden with the --shell option), and have logins disabled. Skeletal configuration
files are not copied.
Add a user group
If adduser is called with the --group option and without the --system option, or addgroup is called respectively, a user group will be added.
A GID will be chosen from the range specified for system GIDS in the configuration file (FIRST_GID, LAST_GID). To override that mechanism you can give the GID using the --gid option.
The group is created with no users.
Add a system group
If addgroup is called with the --system option, a system group will be added.
A GID will be chosen from the range specified for system GIDS in the configuration file (FIRST_SYSTEM_GID, LAST_SYSTEM_GID). To override that mechanism you can give the GID using the --gid option.
The group is created with no users.
Add an existing user to an existing group
If called with two non-option arguments, adduser will add an existing user to an existing group.
OPTIONS
--conf FILE
Use FILE instead of /etc/adduser.conf.
--disabled-login
Do not run passwd to set the password. The user won't be able to use her account until the password is set.
--disabled-password
Like --disabled-login, but logins are still possible (for example using SSH RSA keys) but not using password authentication.
--force-badname
By default, user and group names are checked against the configurable regular expression NAME_REGEX specified in the configuration file. This option forces adduser and addgroup to apply only a weak check for validity
of the name. NAME_REGEX is described in adduser.conf(5).
--gecos GECOS
Set the gecos field for the new entry generated. adduser will not ask for finger information if this option is given.
--gid ID
When creating a group, this option forces the new groupid to be the given number. When creating a user, this option will put the user in that group.
--group
When combined with --system, a group with the same name and ID as the system user is created. If not combined with --system, a group with the given name is created. This is the default action if the program is in‐
voked as addgroup.
--help Display brief instructions.
--home DIR
Use DIR as the user's home directory, rather than the default specified by the configuration file. If the directory does not exist, it is created and skeleton files are copied.
--shell SHELL
Use SHELL as the user's login shell, rather than the default specified by the configuration file.
--ingroup GROUP
Add the new user to GROUP instead of a usergroup or the default group defined by USERS_GID in the configuration file. This affects the users primary group. To add additional groups, see the add_extra_groups option.
--no-create-home
Do not create the home directory, even if it doesn't exist.
--quiet
Suppress informational messages, only show warnings and errors.
--debug
Be verbose, most useful if you want to nail down a problem with adduser.
--system
Create a system user or group.
--uid ID
Force the new userid to be the given number. adduser will fail if the userid is already taken.
--firstuid ID
Override the first uid in the range that the uid is chosen from (overrides FIRST_UID specified in the configuration file).
--lastuid ID
Override the last uid in the range that the uid is chosen from ( LAST_UID )
--add_extra_groups
Add new user to extra groups defined in the configuration file.
--version
Display version and copyright information.
EXIT VALUES
0 The user exists as specified. This can have 2 causes: The user was created by adduser or the user was already present on the system before adduser was invoked. If adduser was returning 0 , invoking adduser a second
time with the same parameters as before also returns 0.
1 Creating the user or group failed because it was already present with other UID/GID than specified. The username or groupname was rejected because of a mismatch with the configured regular expressions, see ad‐
duser.conf(5). Adduser has been aborted by a signal.
Or for many other yet undocumented reasons which are printed to console then. You may then consider to remove --quiet to make adduser more verbose.
FILES
/etc/adduser.conf
Default configuration file for adduser and addgroup
/usr/local/sbin/adduser.local
Optional custom add-ons.
SEE ALSO
adduser.conf(5), deluser(8), groupadd(8), useradd(8), usermod(8), Debian Policy 9.2.2.
COPYRIGHT
Copyright (C) 1997, 1998, 1999 Guy Maor. Modifications by Roland Bauerschmidt and Marc Haber. Additional patches by Joerg Hoh and Stephen Gran.
Copyright (C) 1995 Ted Hajek, with a great deal borrowed from the original Debian adduser
Copyright (C) 1994 Ian Murdock. adduser is free software; see the GNU General Public Licence version 2 or later for copying conditions. There is no warranty.
Debian GNU/Linux Version 3.118 ADDUSER(8)
More information about the busybox
mailing list