nixos/users-groups: Enforce ASCII usernames and fix repeated doubling of activation script runtime (#385904)

2025-07-14 06:00:33 +03:00 · 2025-03-19 17:33:49 +01:00 · 2025-03-19 17:33:49 +01:00 · 4f6e508a09
commit 4f6e508a09
parent fc9fd5f849 b602f86829
2 changed files with 16 additions and 1 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -951,6 +951,21 @@ in {
      }
    ] ++ flatten (flip mapAttrsToList cfg.users (name: user:
      [
+        (
+          let
+            # Things fail in various ways with especially non-ascii usernames.
+            # This regex mirrors the one from shadow's is_valid_name:
+            # https://github.com/shadow-maint/shadow/blob/bee77ffc291dfed2a133496db465eaa55e2b0fec/lib/chkname.c#L68
+            # though without the trailing $, because Samba 3 got its last release
+            # over 10 years ago and is not in Nixpkgs anymore,
+            # while later versions don't appear to require anything like that.
+            nameRegex = "[a-zA-Z0-9_.][a-zA-Z0-9_.-]*";
+          in
+          {
+            assertion = builtins.match nameRegex user.name != null;
+            message = "The username \"${user.name}\" is not valid, it does not match the regex \"${nameRegex}\".";
+          }
+        )
        {
        assertion = (user.hashedPassword != null)
        -> (match ".*:.*" user.hashedPassword == null);