From 5111b544ec7fc8960b1b9e2f6bdabe90911e8f49 Mon Sep 17 00:00:00 2001
From: Jacob Babor <jacob@babor.tech>
Date: Sun, 1 Dec 2024 22:33:25 -0600
Subject: [PATCH] Implement sanitization checker and actual removal
 functionality

---
 wayblue-fix-89.sh | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/wayblue-fix-89.sh b/wayblue-fix-89.sh
index 4193253..90f536e 100755
--- a/wayblue-fix-89.sh
+++ b/wayblue-fix-89.sh
@@ -89,7 +89,23 @@ for file in /etc/shadow /etc/gshadow; do
 			# If we're at this point in the code path, we now know that we for-sure are
 			# operating on an entry that will cause systemd-sysusers to bail out
 			# on invocation. We are thus going to remove it.
-			echo "Fixing broken entity: $name"
+			echo "Analyzing broken entity: $name"
+			# First, we're going to pattern match the username against the systemd
+			# common core username regex. If this fails to match, we bail. I was unable
+			# to find a Fedora username that didn't match this but it's best to have
+			# this type of safety -- you never know what might happen.
+			# https://systemd.io/USER_NAMES/
+			if ! [[ $name =~ ^[a-z][a-z0-9-]{0,30}$ ]]; then
+				echo "Not touching nonconformant name: $name"
+				continue
+			fi
+			# We've succeeded in all our checks and for sure have a username loaded
+			# that isn't going to cause our regex to explode in terrifying ways.
+			# We're now going to load sed up and fire it at the shadowfile
+			echo "Removing from $file: $name"
+			sed --in-place=- \
+				"/^$name:/d" \
+				"$file"
 		fi
 	done < "$file"
 done