Subject: Re: useradd: spaces and $ in usernames
To: Hubert Feyrer <>
From: Alistair Crooks <>
List: tech-userlevel
Date: 11/22/2001 17:10:01
On Tue, Nov 20, 2001 at 11:08:23PM +0100, Hubert Feyrer wrote:
> On Tue, 20 Nov 2001, Alistair Crooks wrote:
> > I'm still not sure what we'd gain from all this. The ability to
> > define logins that can be used on other operating systems, sure,
> > using the names that are used on the foreign OS. Why do they have
> > to be the same names on NetBSD?
> Um, no: make useradd (etc.) not impose any artificial restrictions on
> login names, that's all.  I'm not proposing to change any of the programs
> that deal with usernames - login, ftpd, telnetd, sshd, passwd, whatever do
> stay where they are.

useradd is the point of entry to the system for these login names.
It is hardly an artificial restriction. And the question still
stands - why does the name on the NetBSD system have to the same
as that on the foreign system?

> > You also haven't surrounded your changes in #ifdef EXTENSIONS, but
> > have enabled it by default. This is not correct.
> I looked into this:
> You say you wrote this after the useradd manpage from solaris. This says
> (Solaris 8/x86):
>      The login (login) and role (role) fields accept a string  of
>      no  more  than eight bytes consisting of characters from the
>      set of alphabetic  characters,  numeric  characters,  period
>      (.),  underscore  (_),  and  hyphen (-). The first character
>      should be alphabetic and the field should contain  at  least
> ==>  one  lower case alphabetic character. A warning message will
> ==>  be written if these  restrictions  are  not  met.  A  future
>      Solaris  release  may refuse to accept login and role fields
>      that do not meet these requirements.
> So printing the warning is not an extension, but it should have always
> been the case.

That is obviously from a later version of Solaris than the one I
was using. And the  fact that they reserve the right to refuse
admission to dubious usernames which are entered now should ring
alarm bells for you.

	``Look guys, I've installed Solaris 10 for you!''
	``Thanks, but I can't log in.''
	``Oh yes, that's because they made your login name illegal.''

> Of course we can check for several attributes as Solaris does, but that
> needs some semantic changes to valid_login() then:
> rfhpc8317# useradd ' TEST$ '
> UX: useradd:  TEST$  name should be all alphanumeric, '-', '_', or '.'
> UX: useradd:  TEST$  name first character should be alphabetic.
> UX: useradd:  TEST$  name should have at least one lower case character.

Spaces, and even dollar signs, I can live with. A complete relaxation
of the rules, as you're suggesting, could prove very vexing for anyone
who has to administer a NetBSD system. Or, more to the point, who has
to take over the administration of a NetBSD system.

I would like to know how you plan to deal with people who put ':' in
the new login name, or '/', for example.
> > And, finally, you've obviously been running your systems with non-standard
> > usernames for a while now - what were the utilities that can't handle these
> > usernames, and what else did you find out?
> > 
> > i.e. when you try to login with a username that begins with '-', what
> > happens? Or a username with a '#' anywhere in it?
> I logged in via telnet and changed password, which worked fine. 
> I don't think that's much of a surprise, as I didn't touch any of these
> programs - or do you suggest any of our programs don't handle the cases
> you mention? If so, this should be discussed as a different matter.

You cannot discuss this change in isolation. The useradd is the main
way that users are added to the system, and so any change to it can have
knock-on effects to all other programs in the system.

I've mentioned a few of the characters you don't want in there already - ':',
'/', '-' at the beginning, '#' (possibly, I haven't checked just lately what
the tty driver does with this), '^H', '^W', '^?', and possibly more.