Make forbidden_names much stronger (LP: #2088576).

3 weeks ago · a54615cb83
parent a202c2a229
commit a54615cb83
4 changed files with 146 additions and 3 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -2,6 +2,7 @@ calamares-settings-ubuntu (1:25.04.11) UNRELEASED; urgency=medium

  * Rearrange the Lubuntu module order to account for packages with new stuff
    to put in the initramfs.
+  * Make forbidden_names much stronger (LP: #2088576).

 -- Simon Quigley <tsimonq2@ubuntu.com>  Mon, 25 Nov 2024 03:02:04 -0600

--- a/kubuntu/modules/users.conf
+++ b/kubuntu/modules/users.conf
@ -19,4 +19,50 @@ passwordRequirements:
 # expectation derived from Ubuntu here.
 user:
  shell: /bin/bash
-  forbidden_names: [ root ]
+  forbidden_names:
+    - root
+    - nginx
+    - www-data
+    - daemon
+    - bin
+    - sys
+    - sync
+    - games
+    - man
+    - lp
+    - mail
+    - news
+    - uucp
+    - proxy
+    - www-data
+    - backup
+    - list
+    - irc
+    - apt
+    - nobody
+    - systemd-network
+    - systemd-timesync
+    - dhcpcd
+    - messagebus
+    - syslog
+    - systemd-resolve
+    - usbmux
+    - tss
+    - uuidd
+    - whoopsie
+    - dnsmasq
+    - avahi
+    - nm-openvpn
+    - tcpdump
+    - speech-dispatcher
+    - cups-pk-helper
+    - fwupd-refresh
+    - sddm
+    - saned
+    - cups-browsed
+    - hplip
+    - polkitd
+    - rtkit
+    - colord
+    - geoclue
+    - installer
--- a/lubuntu/modules/users.conf
+++ b/lubuntu/modules/users.conf
@ -17,7 +17,57 @@ passwordRequirements:
    maxLength: -1
 # Explicitly set the shell instead of deferring to Calamares. We have a platform
 # expectation derived from Ubuntu here.
+#
+# The forbidden_names list is grabbed from `awk -F: '{print $1}' /etc/passwd`
+# on a live ISO. _apt was changed to apt, lubuntu was removed, and nginx and
+# www-data were added
 user:
  shell: /bin/bash
-  forbidden_names: [ root ]
+  forbidden_names:
+    - root
+    - nginx
+    - www-data
+    - daemon
+    - bin
+    - sys
+    - sync
+    - games
+    - man
+    - lp
+    - mail
+    - news
+    - uucp
+    - proxy
+    - www-data
+    - backup
+    - list
+    - irc
+    - apt
+    - nobody
+    - systemd-network
+    - systemd-timesync
+    - dhcpcd
+    - messagebus
+    - syslog
+    - systemd-resolve
+    - usbmux
+    - tss
+    - uuidd
+    - whoopsie
+    - dnsmasq
+    - avahi
+    - nm-openvpn
+    - tcpdump
+    - speech-dispatcher
+    - cups-pk-helper
+    - fwupd-refresh
+    - sddm
+    - saned
+    - cups-browsed
+    - hplip
+    - polkitd
+    - rtkit
+    - colord
+    - geoclue
+    - installer
 allowActiveDirectory: true
--- a/ubuntuunity/modules/users.conf
+++ b/ubuntuunity/modules/users.conf
@ -19,4 +19,50 @@ passwordRequirements:
 # expectation derived from Ubuntu here.
 user:
  shell: /bin/bash
-  forbidden_names: [ root ]
+  forbidden_names:
+    - root
+    - nginx
+    - www-data
+    - daemon
+    - bin
+    - sys
+    - sync
+    - games
+    - man
+    - lp
+    - mail
+    - news
+    - uucp
+    - proxy
+    - www-data
+    - backup
+    - list
+    - irc
+    - apt
+    - nobody
+    - systemd-network
+    - systemd-timesync
+    - dhcpcd
+    - messagebus
+    - syslog
+    - systemd-resolve
+    - usbmux
+    - tss
+    - uuidd
+    - whoopsie
+    - dnsmasq
+    - avahi
+    - nm-openvpn
+    - tcpdump
+    - speech-dispatcher
+    - cups-pk-helper
+    - fwupd-refresh
+    - sddm
+    - saned
+    - cups-browsed
+    - hplip
+    - polkitd
+    - rtkit
+    - colord
+    - geoclue
+    - installer