[X2Go-Dev] Arguable bug: usernames starting with digits

Tue Oct 24 22:54:13 CEST 2017

Iirc systemd refused usernames starting with a number. There was a huge
discussion in the systemd bugtracker but I don't remeber the outcome
anymore.

Part of the problem is that commands accept both usernames and userid AS
parameters and there just be some clear way to distinguish those two.

I suggest checking the systemd bugtracker before starting another
discussion here ;-) See here: https://github.com/systemd/systemd/issues/6237

Uli

Am 24.10.2017 21:42 schrieb "Norman Gray" <gray at nxg.name>:

Greetings.

[I'm happy to submit this as a bug at bugs.x2go.org, but <
https://wiki.x2go.org/doku.php/wiki:bugs> recommends discussing potential
bugs here beforehand]

At present, x2goserver sanitises usernames with a regexp in x2goutils.pm
and in x2gosqlitewrapper.pl (same in both places).  That's:

    if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.\
@]{0,47}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/)
{

A username of, eg, '1234567x' fails this test.  I believe such a username
should not fail.

  * POSIX/Single Unix says of the username simply "To be portable across
systems conforming to POSIX.1-2008, the value is composed of characters
from the portable filename character set. The <hyphen-minus> character
should not be used as the first character of a portable user name." (see <
http://pubs.opengroup.org/onlinepubs/9699919799/>, paragraph 3.437)

  * The Debian useradd(8) page recommends something matching
/^[a-z_][a-z0-9_-]*$/, but goes on to say "On Debian, the only constraints
are that usernames must neither start with a dash ('-') nor contain a colon
(':') or a whitespace (space: ' ', end of line: '\n', tabulation: '\t',
etc.). Note that using a slash ('/') may break the default algorithm for
the definition of the user's home directory." (see eg <
https://www.unix.com/man-page/linux/8/useradd/>)

  * The corresponding RedHat/CentOS manpage doesn't even include that, and
instead says only "Usernames may only be up to 32 characters long."
FreeBSD is similarly laid-back about the username.

I myself think that a username like '1234567x' is asking for at least a
little bit of trouble, but those are the networked usernames I'm having to
deal with, so that trouble is not of my asking.  Also, I suspect that the
trailing character is there precisely in order to avoid this matching
/^[0-9]+$/, and thus to be interpretable as a number.

This does appear to be the source of my login problems, since if I hack the
two files above, to have the regexp start with [a-zA-Z0-9\_], then my users
can log in without difficulty.  This hacking is obviously not a great
solution.

This issue was discussed on the user list a little while ago <
http://lists.x2go.org/pipermail/x2go-user/2015-April/003161.html> (that's
what gave me the aha!).  There, Mihai Moldovan said "That's
non-standard-compliant and you're basically on your own when doing "funky
stuff"."  To be clear, I think such usernames are less than ideal, but I
don't think they count as funky or non-compliant.

----

As a distinct but related matter, when a failing username is rejected by
this test, the session doesn't fail, but simply seems to hang, giving no
feedback about the problem, nor, as far as I can see, reporting anything in
the logs.  Whatever the decision about this report, it would be useful to
fail in a more communicative way.

I'd be interested in your views.

Best wishes,

Norman

-- 
Norman Gray  :  https://nxg.me.uk
_______________________________________________
x2go-dev mailing list
x2go-dev at lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20171024/645ad2f8/attachment.html>