Re: Musings about Usernames in adduser and Debian

To: debian-devel@lists.debian.org
Subject: Re: Musings about Usernames in adduser and Debian
From: Chris Hofstaedtler <zeha@debian.org>
Date: Mon, 9 Dec 2024 18:04:52 +0100
Message-id: <[🔎] f23omrtrpwlzzmdb6cyusnhjpvwio7oju3ee4lsrywhfsin7d6@ktnbx7fespvy>
In-reply-to: <[🔎] CAB6pCSbJNWF1QgeApdrY1sFvQKmtgxTekVxU0ZUEZPSD5TQWTw@mail.gmail.com>
References: <[🔎] CAB6pCSbJNWF1QgeApdrY1sFvQKmtgxTekVxU0ZUEZPSD5TQWTw@mail.gmail.com>

* Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> [241208 21:35]:
> I second calling it "allow-unsafe-names" 

This was never on the table, and shadow upstream might even drop the
entire "support" for having bad names.

> for the following reasons:
[..]

> 2. There's a path traversal bug in useradd (but not adduser) that can
> be triggered by usernames beginning with "../".

It's not a bug if you disable the guard rails.

Chris

Reply to:

Follow-Ups:
- Re: Musings about Usernames in adduser and Debian
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- Re: Musings about Usernames in adduser and Debian
  - From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>

Prev by Date: Re: Problems to find sponsors
Next by Date: Re: Musings about Usernames in adduser and Debian
Previous by thread: Re: Musings about Usernames in adduser and Debian
Next by thread: Re: Musings about Usernames in adduser and Debian
Index(es):
- Date
- Thread