Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

useradd command fail with bad usernames #90

Open
eroussy opened this issue Dec 22, 2022 · 2 comments
Open

useradd command fail with bad usernames #90

eroussy opened this issue Dec 22, 2022 · 2 comments

Comments

@eroussy
Copy link
Contributor

eroussy commented Dec 22, 2022

Original problem

When running a cqfd run with the username "test@test", I get this error :

useradd: invalid user name 'test@test': use --badname to ignore
error: useradd command failed.

.cqfdrc

[project]
org='orgt'
name='name'

[build]
command='echo command build'

.cqfd/docker/Dockerfile

FROM fedora:36
ENV DEBIAN_FRONTEND noninteractive

Investigation

By using special options when creating a user, it is technically possible to use '@' and '$' characters in Linux usernames.

When launching docker, cqfd use the useradd command to create a user with the same username as the user who launched the cqfd command.
If this username contains '@' or '$' the useradd command will fail, but only on some systems :

  • Fedora and Arch Linux failed displaying the error above
  • Ubuntu doesn't fail

One possible fix would be to add the --badnames option to useradd in the make_launcher function to make it accept bad usernames. But old Linux distributions (ex : Ubuntu 14, 16 and 18 ) doesn't recognize this option.

TL;DR : For now, only Ubuntu images works with bad usernames
@joufellasfl joufellasfl mentioned this issue Dec 22, 2022
Closed
@joufella
Copy link
Member

This has two impacts, the first is the username is used for docker image naming (eg. cqfd_username_orgname_projectname), the second is it's passed within the Linux container for user environment cloning.

For naming the docker image, I see two approaches,

  • either we block cqfd execution if the username is not POSIX compliant. This will solve both issues, but may cause issues eg. in AD environments where usernames tend to have a domain+separator prefix)
  • or we sanitize the username prior to it being consumed for image naming

For the container runtime part, we should be able to find a proper username passing mechanism, however we need to make sure it works with containers like Alpine which don't use glibc, in this case we'd better stopping execution as described above.

@eroussy
Copy link
Contributor Author

eroussy commented Dec 22, 2022
edited
Loading

I open the issue a bit too early, a patch for the docker image naming is on the way. I choose to simply replace every problematic characters with an underscore.

However, the runtime problem doesn't seems too simple in my opinion. I didn't find a proper way to patch it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joufella @eroussy