From owner-freebsd-bugs Fri Jan 4 15:10:30 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8F9B837B422 for ; Fri, 4 Jan 2002 15:10:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g04NA1s75539; Fri, 4 Jan 2002 15:10:01 -0800 (PST) (envelope-from gnats) Date: Fri, 4 Jan 2002 15:10:01 -0800 (PST) Message-Id: <200201042310.g04NA1s75539@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Yar Tikhiy Subject: Re: bin/22860: [PATCH] adduser & friends with '$' in usernames Reply-To: Yar Tikhiy Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR bin/22860; it has been noted by GNATS. From: Yar Tikhiy To: Gerhard Sittig Cc: bug-followup@freebsd.org Subject: Re: bin/22860: [PATCH] adduser & friends with '$' in usernames Date: Sat, 5 Jan 2002 01:15:10 +0300 On Thu, Jan 03, 2002 at 10:07:50PM +0100, Gerhard Sittig wrote: > > Yar Tikhi yesterday taught adduser.perl about an option to force > the administrator's wish onto the system what the name should > look like. I have to state two points here: I'm not completely > sure about which characters are allowed in usernames while PR > bin/31049 cites POSIX and talks about "characters from the > portable filename character set". So I cannot decide if the > current implementation (short circuit *any* test except for > "there must be a username" and "it must not contain a colon" > because of the passwd(5) format) is going too far and would > allow invalid usernames. And I feel that the wording of the > warn messages is too strong. I would talk about "unexpected" > or "not recommended" characters unless I'm sure they really > _are_ invalid characters. The problem is that there are no distinct grades of validity for characters to use in a username. I did some simple tests that showed the base system could treat a number of weird characterd such as the whitespace, asterisk or dollar sign without any troubles. On the other hand, a poorly written program or (which is more likely) shell script may be tricked into doing illegitimate actions using such unusual usernames. Someone would say even period is no good in usernames due to the NIS or Kerberos issues. As an alternative to the "allow anything the admin wants" solution, I would propose to make the regular expression usernames are checked against configurable and saved in /etc/adduser.conf. > BTW: Should there be a length check like in pw(8)? There is one in adduser.perl; however, it's not in the obvious place: it's in "sub new_users_name" instead of "sub new_users_name_valid." > src/usr.sbin/pw/* hasn't been touched yet. But I take it from > the bin/31049 audit trail that yar is aware of this tool, too, > and tries to sync both the Perl and the C version of the user > database manipulating frontends -- once it's determined what a > username is allowed to look like. pw has a maintainer: David Nugent (davidn.) I wrote him an email asking for help in this issue. Honestly, adduser has a maintainer (wosch,) too, but its commit log lists so many FreeBSD folks modifying it without any sign of approval from wosch... :-) -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message