Bug#264879: [Pkg-shadow-devel] Bug#264879: passwd: useradd allows invalid characters as username

Alexander Gattin arg@online.com.ua
Sun, 3 Apr 2005 03:25:13 +0300 

On Sun, Apr 03, 2005 at 12:15:39AM +0200, Nicolas François wrote:
> I've just tried it, the Debian's useradd allows much funnier user names:
> # useradd '`ls /`
> # getent passwd '`ls /`'
> `ls /`:x:1042:100::/home/`ls /`:

Very funny :). But names starting from '-' have such a
unique property that they can't be escaped, like you
did with `ls /` _in shell_ by surrounding it with
single quotes. "-names", let's call them such, can be
escaped or stripped their special meaning (as cmdline
option), by the util/program only.

I.e., support for treating of "-names" as non-option
arguments is at program's own discretion. Many utils
accept GNU "--" delimiter. Some doesn't.

For example, you _can_ do `useradd -- -auser` but you
can't `userdel -- -auser` then.

> > > About using "." in username: tru use "chown user.name <file>".
> chown uses an heuristic algorithm to handle this.
> It is probably something like:
>  * if the "user.name" user exist and there is either no "user" user or no
>    "name" group, then the user is set to "user.name".
>    (this works, I just tested it)
>  * if there is no "user.name" and the "user" user and the "name" group
>    both exist, then the user is set to "user" and the group set to "name"

Your guess was right (coreutils-5.2.1/lib/userspec.c,
parse_user_spec routine):
>    If SPEC_ARG contains a `:', then use that as the separator, ignoring
>    any `.'s.  If there is no `:', but there is a `.', then first look
>    up the entire SPEC_ARG as a login name.  If that look-up fails, then
>    try again interpreting the `.'  as a separator.

It's a sane behaviour.

> IIRC, this modification was performed to be POSIX compliant, without
> breaking all existing scripts.

I'm not impressed by magic words like POSIX/SUS etc.,
because even these standards are known to contain
bugs.

> Regarding upper cases, I remember a discussion about using "Debian-*" users
> for some packages administrative users (for exim, IIRC).  I'm not sure
> this discussion ended.  It could resurface after Sarge.
> 
> I could find this thread, but I think it was also discussed earlier:
> http://lists.debian.org/debian-devel/2005/02/msg00226.html

Discussion is interesting, but I can't find anything
about uppercase and mail accounts. :(

-- 
WBR,
xrgtn