Subject: Re: Login names and /etc/security
To: Greywolf <>
From: Mike M. Volokhov <>
List: tech-userlevel
Date: 11/04/2004 15:40:08
On Tue, 2 Nov 2004 16:52:39 -0800 (PST)
Greywolf <> wrote:

> [Thus spake Mike M. Volokhov ("MMV: ") 5:08pm...]
> MMV: But the passwd(5) man page says:
> MMV:
> MMV: 	``The login name must never begin with a hyphen (``-''); also,
> MMV: 	it is strongly suggested that neither upper-case characters nor
> MMV: 	dots (``.'') be part of the name, as this tends to confuse
> MMV: 	mailers...''
> The hyphen thing is understandable.
> However, I see first.last@some.address used ALL the time,
> espeziali in der KorporatEnvironments.
> And, last I looked, mailers were case-insensitive -- if you're going to
> be foolish enough to have upper case vs. lower case as distinct users whom
> you expect to receive separate mail, you will get what you deserve
> (though I'm given to understand that there is a way to make sendmail
> case-sensitive on the username front).
> So, I would rather the username was NOT disallowed the use of [A-Z.].

So do you propose to change the passwd(5) man page instead?

> [especially considering that uppercase usernames are a convenient way
> of allowing individual super-user accounts (you, in the back, holding
> up a security manual: Don't even.  Just shut the @#%$ up.  Now.)]

Very interesting viewpoint...

> MMV: Thus seems that [A-Z] testing in /etc/security violates the
> MMV: recommendation, and some other allowed characters (such as "_") are not
> MMV: included into expression.
> MMV:
> MMV: Another issue is the regex itself. It allows the dash (``-'') characters
> MMV: followed one each other, i.e.:
> MMV:
> MMV: 	a-----b
> MMV: 	abc---d---efg
> MMV:
> MMV: Is it a normal behaviour? Although it is not restricted by passwd(5),
> MMV: but looks strange.
> MMV:
> MMV: Therefore, possible correct regex should be as follows:
> MMV:
> MMV: 	/^[a-z0-9]([-_]?[a-z0-9])*$/
> MMV:
> MMV: It fixes the problems described above.
> MMV:
> MMV: And yet another question - logins names, which uses the numbers only
> MMV: (for example, "0", "12345678"). It can be accepted by many systems
> MMV: without any problems, but looks strange enough like as "dashed" ones.
> MMV:
> MMV: Any comments please?
> Is there any reason to be so bent over a matter of aesthetics?
> Please.  This is as silly as the crippled password programs in various
> places which do not accept anything except '[A-Za-z0-9_#$-]'.  yes,
> I had to work with one such policy once.  It was handed to me by a
> contractor who "knew what he was doing".
> there is NOTHING wrong with a username like "drwx--x--x", outside of the
> fact that it might confuse a casual observer.  Preventing such things
> is not the task of NetBSD.  That may well be a site policy decision, but
> I'd rather my site policies were decided by me, not by (the people who
> distribute) my OS.

They already do this. For example, you can't safely use "c--" alike
names so as last character *must* be an alphanumeric one, but
technically there are no any problems with it...

Instead, possible we can use user-own regex passed to awk(1) (for
example, named login_regex) to solve this issue. But I'm personally
still prefer a correctly composed one.