Subject: Re: useradd: spaces and $ in usernames
To: Alistair Crooks <agc@pkgsrc.org>
From: Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>
List: tech-userlevel
Date: 11/20/2001 23:08:23
On Tue, 20 Nov 2001, Alistair Crooks wrote:
> I'm still not sure what we'd gain from all this. The ability to
> define logins that can be used on other operating systems, sure,
> using the names that are used on the foreign OS. Why do they have
> to be the same names on NetBSD?

Um, no: make useradd (etc.) not impose any artificial restrictions on
login names, that's all.  I'm not proposing to change any of the programs
that deal with usernames - login, ftpd, telnetd, sshd, passwd, whatever do
stay where they are.


> You also haven't surrounded your changes in #ifdef EXTENSIONS, but
> have enabled it by default. This is not correct.

I looked into this:
You say you wrote this after the useradd manpage from solaris. This says
(Solaris 8/x86):

     The login (login) and role (role) fields accept a string  of
     no  more  than eight bytes consisting of characters from the
     set of alphabetic  characters,  numeric  characters,  period
     (.),  underscore  (_),  and  hyphen (-). The first character
     should be alphabetic and the field should contain  at  least
==>  one  lower case alphabetic character. A warning message will
==>  be written if these  restrictions  are  not  met.  A  future
     Solaris  release  may refuse to accept login and role fields
     that do not meet these requirements.

So printing the warning is not an extension, but it should have always
been the case.


> As to the changes themselves - why reinvent wheels? What's wrong
> with shquote(3) - you are only passing the commands off to /bin/sh,
> so it's surely adequate?

I didn't know about it, and as I implemented this on 1.5.2, I had no
chance to know it either - it's not there in 1.5.2. I'll look into pulling
it in like strlcpy.


> The warning message which is displayed does not convey any sense of
> urgency to me:
> 
> "Warning: non-standard login names may lead to non-obvious problems!"

Please feel free to suggest a better wording!

Of course we can check for several attributes as Solaris does, but that
needs some semantic changes to valid_login() then:

rfhpc8317# useradd ' TEST$ '
UX: useradd:  TEST$  name should be all alphanumeric, '-', '_', or '.'
UX: useradd:  TEST$  name first character should be alphabetic.
UX: useradd:  TEST$  name should have at least one lower case character.


> And, finally, you've obviously been running your systems with non-standard
> usernames for a while now - what were the utilities that can't handle these
> usernames, and what else did you find out?
> 
> i.e. when you try to login with a username that begins with '-', what
> happens? Or a username with a '#' anywhere in it?

I logged in via telnet and changed password, which worked fine. 
I don't think that's much of a surprise, as I didn't touch any of these
programs - or do you suggest any of our programs don't handle the cases
you mention? If so, this should be discussed as a different matter.


 - Hubert

-- 
Want to get a clue on IPv6 but don't know where to start? Try this:
* Basics -> http://www.onlamp.com/pub/a/onlamp/2001/05/24/ipv6_tutorial.html
* Setup  -> http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html 
Of course with your #1 IPv6 ready operating system -> http://www.NetBSD.org/