Bug#400683: [Pkg-shadow-devel] Bug#400683: passwd: useradd creates
users with spaces in usernames
Christian Perrier
bubulle at debian.org
Tue Nov 28 06:15:38 UTC 2006
severity 400683 wishlist
retitle 400683 Please don't allow spaces in usernames in useradd
tags 400683 wontfix
thanks
Quoting Paul Visscher (paulv at canonical.org):
> Package: passwd
> Version: 1:4.0.3-31sarge9
> Severity: important
> Tags: patch
>
> (Despite the similarity in domain name, I am not in any way affiliated
> with Ubuntu or Canonical Ltd.)
(that would not be a shame...:-))
>
> useradd allows users to be created with spaces in their usernames.
I see nothing wrong with that. This may be a bad idea but, indeed,
nothing is wrong per se.
> Worse, all the utilities to delete users can't delete users with spaces
> in their usernames. I don't think spaces should be valid in usernames,
userdel does:
root at mykerinos:~> useradd "foo bar"
root at mykerinos:~> userdel "foo bar"
root at mykerinos:~>
> so below is a patch that mostly fixes the problem. " foo" and "foo " are
> rejected, but "f: oo" is not. I'm not sure about why things were
> ifdef'ed out in libmisc/chkname.c, but there is probably a more elegant
> solution.
>
> This problem is also present in 4.0.18.1-5 from unstable, but I'm not
> running unstable. The patch is similar, though the proper place to add a
> similar patch is debian/patches/506_relaxed_usernames. I filed this bug
> with Ubuntu
> (https://bugs.launchpad.net/distros/ubuntu/+source/shadow/+bug/71242)
> and included a patch there.
And I'm not sure that the Ubuntu maintainer of shadow will fix it
(hence the CC to Colin Watson who, I think ,is shadow maintainer in
Ubuntu).
Please note that the high level utility named "adduser" will refuse to
create users with a space in their username.
root at mykerinos:~> adduser --force-badname "foo bar"
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not start with
a dash (as defined by IEEE Std 1003.1-2001). For compatibility with Samba
machine accounts $ is also supported at the end of the username
"useradd" is a low level utility provided along with the upstream
source code and having it more permissive than the Debian-specific
high-level utility named "adduser" seems OK to me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20061128/d31f6bd9/attachment.pgp
More information about the Pkg-shadow-devel
mailing list