fix(users): harden password hash handling in ModifyPasswd

ComixHe · ComixHe · commit 58dd5fd3ba2c · 2026-05-25T11:47:23.000+08:00
Validate password crypt hashes and username before invoking
chpasswd to reject invalid characters and malformed input
per crypt(5) and useradd's username validation rules.

Also improve process isolation and sensitive data handling by clearing
the child environment, switching to an explicit stdin pipe flow, and
zeroing the temporary password buffer after use.

Additionally, avoid exposing detailed backend errors to callers to
reduce information disclosure risks.

Signed-off-by: ComixHe &lt;heyuming@deepin.org&gt;
diff --git a/accounts1/users/prop.go b/accounts1/users/prop.go
@@ -20,9 +20,7 @@ import (
 	libdate "github.com/rickb777/date"
 )
 
-var (
-	errInvalidParam = fmt.Errorf("Invalid or empty parameter")
-)
+var errInvalidParam = fmt.Errorf("Invalid or empty parameter")
 
 var (
 	groupFileTimestamp int64 = 0
@@ -157,25 +155,152 @@ func ModifyShell(shell, username string) error {
 	return doAction(userCmdModify, []string{"-s", shell, username})
 }
 
+// IsValidCryptHash validates the format of a crypt password hash string.
+// It enforces printable ASCII boundaries and blocks high-risk delimiters.
+// from: https://manpages.debian.org/unstable/libcrypt-dev/crypt.5.en.html
+func IsValidCryptHash(hash string) error {
+	if hash == "" {
+		return errors.New("password hash is empty")
+	}
+
+	for i := 0; i < len(hash); i++ {
+		b := hash[i]
+
+		// This keeps the error generic and avoids leaking hash structure details.
+		if b < 32 || b > 126 {
+			return errors.New("password hash contains non-printable ASCII characters")
+		}
+
+		switch b {
+		case ' ', ':', ';', '*', '!', '\\':
+			return errors.New("password hash contains forbidden characters")
+		}
+	}
+
+	return nil
+}
+
+// IsValidName validates the input username.
+// It follows useradd's strict rules instead of adduser's NAME_REGEX
+// to prevent control flow injection (e.g., line/field truncation)
+// when feeding "username:password" into chpasswd via stdin.
+// from: https://github.com/shadow-maint/shadow/blob/710c4d4f88fa32dfc4c4d1f714e935d8bff6ae00/lib/chkname.c#L103
+func isValidUsername(name string) error {
+	if len(name) > LoginNameMaxSize() {
+		return errors.New("user name too long")
+	}
+
+	if name == "" || name == "." || name == ".." {
+		return errors.New("username can't be '.' or '..' or empty")
+	}
+
+	if strings.Trim(name, "-") == "" {
+		return errors.New("username cannot consist entirely of hyphens")
+	}
+
+	if strings.ContainsAny(name, " \"#',/:;") {
+		return errors.New("username contains forbidden characters (space, \", #, ', ,, /, :, ;)")
+	}
+
+	isAllDigit := true
+	for i := 0; i < len(name); i++ {
+		ch := name[i]
+		if ch <= 0x1F || ch == 0x7F {
+			return errors.New("username cannot contain control characters")
+		}
+
+		if ch < '0' || ch > '9' {
+			isAllDigit = false
+		}
+	}
+
+	if isAllDigit {
+		return errors.New("username cannot consist entirely of digits")
+	}
+
+	// below check follows BRE: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
+	first := name[0]
+	isFirstValid := (first >= 'a' && first <= 'z') ||
+		(first >= 'A' && first <= 'Z') ||
+		(first >= '0' && first <= '9') ||
+		first == '_' ||
+		first == '.'
+	if !isFirstValid {
+		return errors.New("first character must be alphanumeric, underscore, or dot")
+	}
+
+	for i := 1; i < len(name); i++ {
+		ch := name[i]
+
+		isValidChar := (ch >= 'a' && ch <= 'z') ||
+			(ch >= 'A' && ch <= 'Z') ||
+			(ch >= '0' && ch <= '9') ||
+			ch == '_' ||
+			ch == '.' ||
+			ch == '-'
+
+		if isValidChar {
+			continue
+		}
+
+		if ch == '$' && i == len(name)-1 {
+			continue
+		}
+
+		return errors.New("username contains invalid characters or '$' is not at the end")
+	}
+
+	return nil
+}
+
 func ModifyPasswd(words, username string) error {
-	if len(words) == 0 {
-		return errInvalidParam
+	if words == "" || username == "" {
+		return errors.New("password hash or username is empty")
 	}
-	// 防止命令注入
-	if strings.ContainsAny(words, "\n\r") || strings.ContainsAny(username, "\n\r:") {
-		return errInvalidParam
+
+	if err := isValidUsername(username); err != nil {
+		return fmt.Errorf("username is invalid: %w", err)
+	}
+
+	if err := IsValidCryptHash(words); err != nil {
+		return fmt.Errorf("invalid password hash: %w", err)
 	}
 
 	cmd := exec.Command(pwdCmdModify, "-e")
-	input := fmt.Sprintf("%s:%s\n", username, words)
-	cmd.Stdin = bytes.NewBufferString(input)
+	cmd.Env = []string{}
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return fmt.Errorf("failed to create stdin pipe: %w", err)
+	}
 
 	var stderr bytes.Buffer
 	cmd.Stderr = &stderr
 
-	err := cmd.Run()
-	if err != nil {
-		return fmt.Errorf("failed to modify password: %v, %s", err, stderr.String())
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("failed to start command: %w", err)
+	}
+
+	// Write the password hash to stdin
+	input := []byte(username + ":" + words + "\n")
+	_, writeErr := stdin.Write(input)
+	for i := range input {
+		input[i] = 0
+	}
+
+	if len(input) > 0 && input[0] != 0 {
+		_ = input[0] // forbid DCE and ensure input is zeroed out
+	}
+
+	stdin.Close()
+
+	if writeErr != nil {
+		_ = cmd.Process.Kill()
+		return fmt.Errorf("failed to write to stdin: %w", writeErr)
+	}
+
+	if err := cmd.Wait(); err != nil {
+		return errors.New("failed to update system password configuration")
 	}
 
 	return nil
diff --git a/accounts1/users/user.go b/accounts1/users/user.go
@@ -0,0 +1,26 @@
+package users
+
+/*
+#include <unistd.h>
+#include <limits.h>
+
+#ifndef LOGIN_NAME_MAX
+#define LOGIN_NAME_MAX 256
+#endif
+
+long get_login_name_max() {
+    long conf = -1;
+    conf = sysconf(_SC_LOGIN_NAME_MAX);
+
+    if (conf == -1) {
+        conf = LOGIN_NAME_MAX;
+    }
+
+    return conf;
+}
+*/
+import "C"
+
+func LoginNameMaxSize() int {
+	return int(C.get_login_name_max())
+}
