Re: About valid and invalid user names
* Marc Haber:
> By default, adduser will verify the user against a configurable
> regexp, default being the most conservative ^[a-z][a-z0-9\-]*$. The
> --force-badname option will change the regexp to a hardcoded
> ^[-\._A-Za-z0-9]*\$?$, allowing users to happily hang themselves. This
> gives the somewhat funny situation that the default can be configured
> to be less restrictive than --force-badname, but I doubt that it would
> be sensible to have --force-badname turn off all checks.
The current --force-badname check is /^[A-Za-z_][-_A-Za-z0-9]*\$?$/.
Wouldn't it make more sense to add the "." just to the second
character class? User names starting with "-" could be truly awful.
Even if a custom regular expression has been configured, you should
check for "\n" and ":" in user names and reject them, just to be sure
(and maybe a few more funny characters).