Re: About valid and invalid user names

To: Marc Haber <mh+debian-devel@zugschlus.de>
Cc: debian-devel@lists.debian.org
Subject: Re: About valid and invalid user names
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 06 Feb 2005 12:31:39 +0100
Message-id: <[🔎] 87k6plq604.fsf@deneb.enyo.de>
In-reply-to: <[🔎] E1CxkNj-0002gn-Bp@scyw00225> (Marc Haber's message of "Sun, 06 Feb 2005 12:15:11 +0100")
References: <[🔎] E1CxPCu-0003Mh-Sz@scyw00225> <[🔎] E1CxkNj-0002gn-Bp@scyw00225>

* Marc Haber:

> By default, adduser will verify the user against a configurable
> regexp, default being the most conservative ^[a-z][a-z0-9\-]*$. The
> --force-badname option will change the regexp to a hardcoded
> ^[-\._A-Za-z0-9]*\$?$, allowing users to happily hang themselves. This
> gives the somewhat funny situation that the default can be configured
> to be less restrictive than --force-badname, but I doubt that it would
> be sensible to have --force-badname turn off all checks.

The current --force-badname check is /^[A-Za-z_][-_A-Za-z0-9]*\$?$/.
Wouldn't it make more sense to add the "." just to the second
character class?  User names starting with "-" could be truly awful.

Even if a custom regular expression has been configured, you should
check for "\n" and ":" in user names and reject them, just to be sure
(and maybe a few more funny characters).

Reply to:

Follow-Ups:
- Re: About valid and invalid user names
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- About valid and invalid user names
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: About valid and invalid user names
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: Debug packages cluttering the archive
Next by Date: Re: About valid and invalid user names
Previous by thread: Re: About valid and invalid user names
Next by thread: Re: About valid and invalid user names
Index(es):
- Date
- Thread