[X2Go-Dev] Arguable bug: usernames starting with digits

Norman Gray gray at nxg.name
Tue Oct 24 23:48:10 CEST 2017


Uli (and all), hello.

On 24 Oct 2017, at 21:54, Ulrich Sibiller wrote:

> Iirc systemd refused usernames starting with a number. There was a 
> huge
> discussion in the systemd bugtracker but I don't remeber the outcome
> anymore.

Thanks for the pointer.

There seem to have been two intermixed discussions there, first about 
whether '0day' was a valid username, and secondly about systemd's 
behaviour when it encountered such a username.

Early in the discussion, 'poettering' asserts that '"0day" is not a 
valid username' and 'the username is clearly not valid', without 
pointing to any justification for either assertion.  Neither assertion 
is supported by the POSIX/SingleUnix or Debian sources I mentioned 
earlier.  In other words, I think poettering is simply wrong to assert 
that such a username is generally invalid.

Other participants in that discussion pointed to the Single Unix spec 
(which permits all-digit usernames), and to a passage in the GNU 
Coreutils manual 
<https://www.gnu.org/software/coreutils/manual/coreutils.html#Disambiguating-names-and-IDs> 
which explicitly acknowledges that an all-digits username is legitimate, 
and describes how the coreutils resolve the ambiguity.

It may be that _some_ unixes deem a username which starts with a digit 
to be invalid, but it's clearly not universal.  I'm not aware of any 
current unix where this is the case.

Note that (if I recall correctly) some unixes will work fine with an 
all-digits username, but the standard tool will not allow you to create 
such usernames (this might be true of Debian?).

> Part of the problem is that commands accept both usernames and userid 
> AS
> parameters and there just be some clear way to distinguish those two.

The coreutils manual attempts to match a string as a username (even if 
all digits) and as a numeric uid only if that fails.  It says that 
'POSIX requires [this]', but doesn't point to where (I couldn't find 
that requirement myself).

Now, in the case of the example there, a user_name_ of '42' really is 
asking/begging for trouble, but that library goes out of its way to 
process that as a valid username.

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk


More information about the x2go-dev mailing list