tech-userlevel: Re: Login names and /etc/security

Subject: Re: Login names and /etc/security
To: Mike M. Volokhov <mishka@apk.od.ua>
From: Greywolf <greywolf@starwolf.com>
List: tech-userlevel
Date: 11/02/2004 16:52:39
[Thus spake Mike M. Volokhov ("MMV: ") 5:08pm...]

MMV: But the passwd(5) man page says:
MMV:
MMV: 	``The login name must never begin with a hyphen (``-''); also,
MMV: 	it is strongly suggested that neither upper-case characters nor
MMV: 	dots (``.'') be part of the name, as this tends to confuse
MMV: 	mailers...''

The hyphen thing is understandable.

However, I see first.last@some.address used ALL the time,
espeziali in der KorporatEnvironments.

And, last I looked, mailers were case-insensitive -- if you're going to
be foolish enough to have upper case vs. lower case as distinct users whom
you expect to receive separate mail, you will get what you deserve
(though I'm given to understand that there is a way to make sendmail
case-sensitive on the username front).

So, I would rather the username was NOT disallowed the use of [A-Z.].

[especially considering that uppercase usernames are a convenient way
of allowing individual super-user accounts (you, in the back, holding
up a security manual: Don't even.  Just shut the @#%$ up.  Now.)]

MMV: Thus seems that [A-Z] testing in /etc/security violates the
MMV: recommendation, and some other allowed characters (such as "_") are not
MMV: included into expression.
MMV:
MMV: Another issue is the regex itself. It allows the dash (``-'') characters
MMV: followed one each other, i.e.:
MMV:
MMV: 	a-----b
MMV: 	abc---d---efg
MMV:
MMV: Is it a normal behaviour? Although it is not restricted by passwd(5),
MMV: but looks strange.
MMV:
MMV: Therefore, possible correct regex should be as follows:
MMV:
MMV: 	/^[a-z0-9]([-_]?[a-z0-9])*$/
MMV:
MMV: It fixes the problems described above.
MMV:
MMV: And yet another question - logins names, which uses the numbers only
MMV: (for example, "0", "12345678"). It can be accepted by many systems
MMV: without any problems, but looks strange enough like as "dashed" ones.
MMV:
MMV: Any comments please?

Is there any reason to be so bent over a matter of aesthetics?

Please.  This is as silly as the crippled password programs in various
places which do not accept anything except '[A-Za-z0-9_#$-]'.  yes,
I had to work with one such policy once.  It was handed to me by a
contractor who "knew what he was doing".

there is NOTHING wrong with a username like "drwx--x--x", outside of the
fact that it might confuse a casual observer.  Preventing such things
is not the task of NetBSD.  That may well be a site policy decision, but
I'd rather my site policies were decided by me, not by (the people who
distribute) my OS.

				--*greywolf;
--
You are carrying:
    one red potion
    one oil lamp
    50 feet of rope
Puns remaining: 0
What now? _