From 4d19e0af572486ff0cd38b365dfc7411a8207837 Mon Sep 17 00:00:00 2001 From: Joe Rayhawk Date: Sun, 24 Apr 2011 13:28:25 -0700 Subject: Adding new <32 character limit to usernames --- docs/architecture/data.mdwn | 4 ++-- docs/issues/repo_name_limit.mdwn | 2 +- libpiny/lib/Piny/User.pm | 4 ++-- pinyadmin/sbin/newuser | 8 ++++---- pinyweb/suid/piny-suid.c | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/architecture/data.mdwn b/docs/architecture/data.mdwn index c86ec15..cc824ab 100644 --- a/docs/architecture/data.mdwn +++ b/docs/architecture/data.mdwn @@ -4,11 +4,11 @@ Dynamic data lookup should opportunisticly cache any associated cheap data. For [[!table format=dsv delimiter=# data=""" datum #stored location #constraint -username #usually $ENV{SUDO_USER} # !~ /^git-|^iki-/ and =~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ +username #usually $ENV{SUDO_USER} # !~ /^git-|^iki-/ and =~ /^[a-zA-Z][a-zA-Z0-9_.-]{0,30}$/ uid #/etc/passwd # None email #/etc/passwd GECOS #Email::Valid::Loose->new("-fqdn" => 1, "-fudge" => 0, "-local_rules" => 0, "-mxcheck" => 1, "-tldcheck" => 0 ); repoaccess #/etc/group git-$reponame entry # None -reponame #/srv/git/$reponame.git # =~ /^[a-z0-9][a-z0-9.-]+$/ +reponame #/srv/git/$reponame.git # =~ /^[a-z0-9][a-z0-9.-]*$/ repodescription #/srv/git/$reponame.git/description # =~ /^[\x{0020}-\x{FDCF}\x{FDF0}-\x{FFFD}]{1,80}$/ repoowner #stat /srv/git/$reponame.git/objects uid; might be better as first non-ikiwiki user in /etc/group git-$reponame entry # None repoglobalwritable #stat /srv/git/$reponame.git/objects o+w bit # None diff --git a/docs/issues/repo_name_limit.mdwn b/docs/issues/repo_name_limit.mdwn index 68a77f5..6059178 100644 --- a/docs/issues/repo_name_limit.mdwn +++ b/docs/issues/repo_name_limit.mdwn @@ -4,6 +4,6 @@ * Opened by: jrayhawk ### Discussion -Problem: Repository names are restricted to 24 characters by the groupname limit in libc6 plus our use of the iki- prefix. +Problem: Repository names are restricted to 28 characters by the groupname limit in libc6 plus our use of the iki- prefix. Possible solution: optional use of truncated md5 (the first character needing to be a letter) hash of reponame as groupnames, restriction of usernames to 31 characters to keep namespaces isolated, check in newrepo for hash collision before actions are taken diff --git a/libpiny/lib/Piny/User.pm b/libpiny/lib/Piny/User.pm index f742f87..90742e7 100644 --- a/libpiny/lib/Piny/User.pm +++ b/libpiny/lib/Piny/User.pm @@ -18,8 +18,8 @@ use Piny::Group; subtype 'Username' => as 'Str' - => where { $_ =~ /^(?!(git|iki)-)[a-zA-Z][a-zA-Z0-9_.-]*$/ } - => message { if ( /^((?:git|iki)-|[^a-zA-Z])/ ) { "Usernames are not allowed to begin with $1" } elsif ( /([^a-zA-Z0-9_.-])/ ) { "Usernames are not allowed to contain $1" } else { "Invalid username" } } + => where { $_ =~ /^(?!(git|iki)-)[a-zA-Z][a-zA-Z0-9_.-]{0,30}$/ } + => message { if ( /^((?:git|iki)-|[^a-zA-Z])/ ) { "Usernames are not allowed to begin with $1" } elsif ( /([^a-zA-Z0-9_.-])/ ) { "Usernames are not allowed to contain $1" } elsif ( /[a-zA-Z0-9_.-]{32,}/ ) { "Usernames are not allowed to be more than 31 bytes" } else { "Invalid username" } } ; # Attributes diff --git a/pinyadmin/sbin/newuser b/pinyadmin/sbin/newuser index 7b864b7..a6bcf4d 100755 --- a/pinyadmin/sbin/newuser +++ b/pinyadmin/sbin/newuser @@ -80,8 +80,8 @@ if ( scalar @ARGV == 3 and $ARGV[0] eq "--batch" ) { next; }; - if ( $username !~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ ) { - print "Usernames must consist only of letters, digits, underscores, periods, and dashes, and not start with a dash. Usernames are case sensitive.\n"; + if ( $username !~ /^[a-zA-Z][a-zA-Z0-9_.-]{0,30}$/ ) { + print "Usernames must be less than 32 bytes long, consist only of letters, digits, underscores, periods, and dashes, and must start with a letter. Usernames are case sensitive.\n"; next }; @@ -119,8 +119,8 @@ if ( scalar @ARGV == 3 and $ARGV[0] eq "--batch" ) { # pathways to get to this point, but only a single path from here on down. if ( not defined $email or $email eq "" ) { print "Email address is undefined!\n"; exit 3; }; if ( not defined $username or $username eq "" ) { print "Username is undefined!\n"; exit 3; }; -if ( $username =~ /^(git|iki)-/ ) { print "Username must not begin with git- or iki-!\n"; exit 3; }; -if ( $username !~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ ) { print "Usernames must consist only of letters, digits, underscores, periods, and dashes, and not start with a dash. Usernames are case sensitive.\n" }; +if ( $username =~ /^(git|iki)-/ ) { print "Username must not begin with git- or iki-!\n"; exit 3; }; +if ( $username !~ /^[a-zA-Z][a-zA-Z0-9_.-]{0,30}$/ ) { print "Usernames must be less than 32 bytes long, consist only of letters, digits, underscores, periods, and dashes, and must start with a letter. Usernames are case sensitive.\n" }; if ( not defined $password or $password eq "" ) { print "Password is undefined!\n"; exit 3; }; # Here on down is the actual creation code. diff --git a/pinyweb/suid/piny-suid.c b/pinyweb/suid/piny-suid.c index 0fbaddb..40c497f 100644 --- a/pinyweb/suid/piny-suid.c +++ b/pinyweb/suid/piny-suid.c @@ -22,7 +22,7 @@ int main( int argc, char *argv[] ) { regex_t user_reg; // Please note that these regular expressions should duplicate the language for usernames described in Piny::User. - if ( ( err = regcomp( &user_reg, "^[a-zA-Z][a-zA-Z0-9_.-]*$", REG_EXTENDED | REG_NOSUB ) ) != 0 ) { + if ( ( err = regcomp( &user_reg, "^[a-zA-Z][a-zA-Z0-9_.-]{0,30}$", REG_EXTENDED | REG_NOSUB ) ) != 0 ) { size_t sz = regerror( err, &user_reg, NULL, 0 ); char buf[sz]; regerror( err, &user_reg, buf, sz ); -- cgit v1.2.3