Bug#264879: [Pkg-shadow-devel] Bug#264879: passwd: useradd allows invalid characters as username

Nicolas François Nicolas François , 264879@bugs.debian.org
Sun, 3 Apr 2005 00:15:39 +0200 

On Sat, Apr 02, 2005 at 10:07:26PM +0300, Alexander Gattin wrote:
> On Thu, Mar 31, 2005 at 03:21:05AM +0200, Tomasz KÅ‚oczko wrote:
> > On Thu, 31 Mar 2005, Nicolas [iso-8859-1] François wrote:
> > [..]
> > >   * the implementation from RedHat, which seems reasonable to me.  =
(maybe
> > >     we should not allow usernames starting with a '-').
> 
> Consider what most tools (from coreutils/shadow/adduser
> etc.) will think about "-h" or "--verbose" username? :))

I've just tried it, the Debian's useradd allows much funnier user names:
# useradd '`ls /`'
# getent passwd '`ls /`'
`ls /`:x:1042:100::/home/`ls /`:

And it also allows brain damaged admins to use `rm -rf /` as a username
(she will then have to check twice her command lines that use this user ;).

> > >     useradd will still be much more permissive than adduser, but so=
me
> > >     reasonable checks will be performed.
> > >     The RedHat equivalent regex is "^[a-zA-Z_][a-zA-Z0-9_-.]*\$?$"
> > 
> > About using "." in username: tru use "chown user.name <file>".
> 
> Good contr-example. ;-)

chown uses an heuristic algorithm to handle this.  It is probably something
like:
 * if the "user.name" user exist and there is either no "user" user or no
   "name" group, then the user is set to "user.name".
   (this works, I just tested it)
 * if there is no "user.name" and the "user" user and the "name" group
   both exist, then the user is set to "user" and the group set to "name"
 * otherwise, I don't know what happens, but it seems reasonable to just
   display a warning (I didn't check).

IIRC, this modification was performed to be POSIX compliant, without
breaking all existing scripts.


Regarding upper cases, I remember a discussion about using "Debian-*" users
for some packages administrative users (for exim, IIRC).  I'm not sure
this discussion ended.  It could resurface after Sarge.

I could find this thread, but I think it was also discussed earlier:
http://lists.debian.org/debian-devel/2005/02/msg00226.html


Best Regards,
-- 
Nekral