[X2Go-Dev] Arguable bug: usernames starting with digits

Tue Oct 24 21:35:49 CEST 2017

Greetings.

[I'm happy to submit this as a bug at bugs.x2go.org, but 
<https://wiki.x2go.org/doku.php/wiki:bugs> recommends discussing 
potential bugs here beforehand]

At present, x2goserver sanitises usernames with a regexp in x2goutils.pm 
and in x2gosqlitewrapper.pl (same in both places).  That's:

     if ($string =~ 
/^([a-zA-Z\_][a-zA-Z0-9\_\-\.\@]{0,47}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/) 
{

A username of, eg, '1234567x' fails this test.  I believe such a 
username should not fail.

   * POSIX/Single Unix says of the username simply "To be portable 
across systems conforming to POSIX.1-2008, the value is composed of 
characters from the portable filename character set. The <hyphen-minus> 
character should not be used as the first character of a portable user 
name." (see <http://pubs.opengroup.org/onlinepubs/9699919799/>, 
paragraph 3.437)

   * The Debian useradd(8) page recommends something matching 
/^[a-z_][a-z0-9_-]*$/, but goes on to say "On Debian, the only 
constraints are that usernames must neither start with a dash ('-') nor 
contain a colon (':') or a whitespace (space: ' ', end of line: '\n', 
tabulation: '\t', etc.). Note that using a slash ('/') may break the 
default algorithm for the definition of the user's home directory." (see 
eg <https://www.unix.com/man-page/linux/8/useradd/>)

   * The corresponding RedHat/CentOS manpage doesn't even include that, 
and instead says only "Usernames may only be up to 32 characters long."  
FreeBSD is similarly laid-back about the username.

I myself think that a username like '1234567x' is asking for at least a 
little bit of trouble, but those are the networked usernames I'm having 
to deal with, so that trouble is not of my asking.  Also, I suspect that 
the trailing character is there precisely in order to avoid this 
matching /^[0-9]+$/, and thus to be interpretable as a number.

This does appear to be the source of my login problems, since if I hack 
the two files above, to have the regexp start with [a-zA-Z0-9\_], then 
my users can log in without difficulty.  This hacking is obviously not a 
great solution.

This issue was discussed on the user list a little while ago 
<http://lists.x2go.org/pipermail/x2go-user/2015-April/003161.html> 
(that's what gave me the aha!).  There, Mihai Moldovan said "That's 
non-standard-compliant and you're basically on your own when doing 
"funky stuff"."  To be clear, I think such usernames are less than 
ideal, but I don't think they count as funky or non-compliant.

----

As a distinct but related matter, when a failing username is rejected by 
this test, the session doesn't fail, but simply seems to hang, giving no 
feedback about the problem, nor, as far as I can see, reporting anything 
in the logs.  Whatever the decision about this report, it would be 
useful to fail in a more communicative way.

I'd be interested in your views.

Best wishes,

Norman

-- 
Norman Gray  :  https://nxg.me.uk