AW: [suse-security] Problems creating usernames with dots
Hi Mario,
From: Mario Viana [mailto:marioj@secrel.com.br] Hello,
Well, maybe it´s a little off-topic , but does anybody know why SuSE 8.0 don´t accept creating a username with dots, e.g. , while I try creating the user suse.br :
# useradd suse.br useradd: invalid user name 'suse.br'
Because . is not a valid character for users. What about "chown user.group file" ? Does the . belong to the username or is it the username-group delimiter?
I have seen all the configuration files in /etc/sysconfig, Suse DB and Google and I haven´t found anything related to this topic. =((
Dotted usernames were a bug until SuSE 8.0. regards, Stefan
Mario, You can try to use alias, edit /etc/aliases e run /usr/bin/newaliases which maybe can run, By Lindomar, On Wed, 20 Nov 2002, Peer Stefan wrote:
Hi Mario,
From: Mario Viana [mailto:marioj@secrel.com.br] Hello,
Well, maybe it�s a little off-topic , but does anybody know why SuSE 8.0 don�t accept creating a username with dots, e.g. , while I try creating the user suse.br :
# useradd suse.br useradd: invalid user name 'suse.br'
Because . is not a valid character for users. What about "chown user.group file" ? Does the . belong to the username or is it the username-group delimiter?
I have seen all the configuration files in /etc/sysconfig, Suse DB and Google and I haven�t found anything related to this topic. =((
Dotted usernames were a bug until SuSE 8.0.
regards, Stefan
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
In fact to Lindomar, While creating the user, create default mail alias as a givenname. So, suse warns you, give the givenname then. Give first name with dot. For example First name : "x." surname : "yx" After that, you can use x.yz@domainname.com for e-mail alias. Actually, this is alias, you can create more than one alias in the alias field, while you are creating new user at new user page. Nazif Ilker Sezdi ----- Original Message ----- From: "Lindomar C. dos Santos" <lindomar@pop-am.rnp.br> To: <suse-security@suse.com> Cc: "Mario Viana" <marioj@secrel.com.br> Sent: Wednesday, November 20, 2002 5:48 PM Subject: Re: AW: [suse-security] Problems creating usernames with dots Mario, You can try to use alias, edit /etc/aliases e run /usr/bin/newaliases which maybe can run, By Lindomar, On Wed, 20 Nov 2002, Peer Stefan wrote:
Hi Mario,
From: Mario Viana [mailto:marioj@secrel.com.br] Hello,
Well, maybe it´s a little off-topic , but does anybody know why SuSE 8.0 don´t accept creating a username with dots, e.g. , while I try creating the user suse.br :
# useradd suse.br useradd: invalid user name 'suse.br'
Because . is not a valid character for users. What about "chown user.group file" ? Does the . belong to the username or is it the username-group delimiter?
I have seen all the configuration files in /etc/sysconfig, Suse DB and Google and I haven´t found anything related to this topic. =((
Dotted usernames were a bug until SuSE 8.0.
regards, Stefan
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Mit, 20 Nov 2002 at 16:27 (+0100), Peer Stefan wrote:
From: Mario Viana [mailto:marioj@secrel.com.br] Hello,
Hi, it's not security related - a better place for this question would be suse-linux(-e)
Well, maybe it´s a little off-topic , but does anybody know why SuSE 8.0 don´t accept creating a username with dots, e.g. , while I try creating the user suse.br :
# useradd suse.br useradd: invalid user name 'suse.br'
Add a new user without dot and edit the /etc/passwd manually after this. It should work (without warranty).
Because . is not a valid character for users. What about "chown user.group file" ? Does the . belong to the username or is it the username-group delimiter?
Why this? AFAIK your chown syntax isn't standard, it should be: chown user:group file (according to the manual page in 8.0 :-) Jan
On Wed, 20 Nov 2002, Jan Trippler wrote:
Add a new user without dot and edit the /etc/passwd manually after this. It should work (without warranty).
Because . is not a valid character for users. What about "chown user.group file" ? Does the . belong to the username or is it the username-group delimiter?
Why this? AFAIK your chown syntax isn't standard, it should be: chown user:group file (according to the manual page in 8.0 :-)
uid:gid vs. uid.gid for chown is a dragon to beat on a lot of UNIX flaviours, but Linux uses GNU's chown with POSIX extensions which allows both ;-) They just forgot to mention it in the man-pages (or you need to read the un-written too) Hope this helps to get out of the confusion. Let the questioner decide what to do with chown uid.gid when the username contains a dot. Achim
Am Mittwoch, 20. November 2002 16:27 schrieb Peer Stefan:
Hi Mario,
From: Mario Viana [mailto:marioj@secrel.com.br] Hello,
Well, maybe it´s a little off-topic , but does anybody know why SuSE 8.0 don´t accept creating a username with dots, e.g. , while I try creating the user suse.br :
# useradd suse.br useradd: invalid user name 'suse.br'
Because . is not a valid character for users. What about "chown user.group
It is valid.
file" ? Does the . belong to the username or is it the username-group delimiter?
Chown is a userland program that does (stupidly) check this, but the kernel doesn't care about chown-syntax.
I have seen all the configuration files in /etc/sysconfig, Suse DB and Google and I haven´t found anything related to this topic. =((
Dotted usernames were a bug until SuSE 8.0.
Can you elaborate on this? I just added a user called "me.too" on a SuSE 8.1 by editing /etc/passwd and /etc/shadow and su'ed to this user. I'd say, it still works and works as expected ;-) The alias idea might be a good solution as long as you just need an email user of that particular name. If you want/need to have system users with dots in their names, then this doesn't work. E. g., you have a system with two users Peter Meier and Peter Huber. Why not have system user names peter.meier and peter.huber? Bye Emmerich -- Emmerich Eggler Eggler Communications Wannerstrasse 3/39 CH-8045 Zürich Fon: 01 - 463 43 73 Mobile: 079 - 438 75 11
On Thu, Nov 21, 2002 at 10:21:01AM +0100, Emmerich Eggler wrote:
file" ? Does the . belong to the username or is it the username-group delimiter?
Chown is a userland program that does (stupidly) check this, but the kernel doesn't care about chown-syntax.
User names are purely a user land feature too. The kernel doesn't care about user names.
Can you elaborate on this? I just added a user called "me.too" on a SuSE 8.1 by editing /etc/passwd and /etc/shadow and su'ed to this user. I'd say, it still works and works as expected ;-)
Of course, you can add almost anything to /etc/passwd, as long your user name doesn't contain a colon. But what is "works as expected"? Did you run a comprehensive test suite over all 5000 packages or so that come with SuSE Linux? If so, please talk to our Q&A department, I'm sure they'll be very interested :) There are certain conventions in the Unix world, and while it's hard to justify them in detail it's a good idea to adhere to them nevertheless. You can add a user name of ";-)" to /etc/passwd and that may even work for a surprising number of applications - but there will be the odd application that was coded with the assumption that if it's not alphanumerics, it's not a user name. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Am Donnerstag, 21. November 2002 11:41 schrieb Olaf Kirch:
On Thu, Nov 21, 2002 at 10:21:01AM +0100, Emmerich Eggler wrote:
file" ? Does the . belong to the username or is it the username-group delimiter?
Chown is a userland program that does (stupidly) check this, but the kernel doesn't care about chown-syntax.
User names are purely a user land feature too. The kernel doesn't care about user names.
Can you elaborate on this? I just added a user called "me.too" on a SuSE 8.1 by editing /etc/passwd and /etc/shadow and su'ed to this user. I'd say, it still works and works as expected ;-)
Of course, you can add almost anything to /etc/passwd, as long your user name doesn't contain a colon. But what is "works as expected"? Did you run a comprehensive test suite over all 5000 packages or so that come with SuSE Linux? If so, please talk to our Q&A department, I'm sure they'll be very interested :)
*grin* No, I didn't, of course.
There are certain conventions in the Unix world, and while it's hard to justify them in detail it's a good idea to adhere to them nevertheless.
I agree: but we're on thin ice here. We can hardly know all the established conventions and therefor follow them. Again: my position is: if a dot is a valid character for a username, I should be able to use it. If it is wrong, the system __itself__ should consider this account as invalid (not any of the userland programs, where other programs and the kernel happily accept such names). Actually, we could have found a desing flaw of UNIX like systems. ;-)
You can add a user name of ";-)" to /etc/passwd and that may even work for a surprising number of applications - but there will be the odd application that was coded with the assumption that if it's not alphanumerics, it's not a user name.
sic (design flaw). Bye Emmerich
Olaf
-- Emmerich Eggler Eggler Communications Wannerstrasse 3/39 CH-8045 Zürich Fon: 01 - 463 43 73 Mobile: 079 - 438 75 11
Of course, you can add almost anything to /etc/passwd, as long your user name doesn't contain a colon. But what is "works as expected"?
I don´t have thousands of services to worry about, It´s just a qmail box. If in SuSE 7.x it was possible, why we can´t do the same in SuSE 8.0? What exactly have changed? Thank You, Mário Viana ISP Admin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Yes, I know I'm rendering myself a fusspot and smart-ass, but... Am Mittwoch, 20. November 2002 16:27 schrieb Peer Stefan:
Dotted usernames were a bug until SuSE 8.0.
... this is not quite right, as far as I understand the documents. Am Donnerstag, 21. November 2002 11:41 schrieb Olaf Kirch:
There are certain conventions in the Unix world, and while it's hard to justify them in detail it's a good idea to adhere to them nevertheless. You can add a user name of ";-)" to /etc/passwd and that may even work for a surprising number of applications - but there will be the odd application that was coded with the assumption that if it's not alphanumerics, it's not a user name.
Although SuSE Linux and GNU/Linux are "only" free Operating Systems, they usually try to adhere certain standards - in many cases the POSIX standard. The Posix standard (excerpt from http://www.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_0...) says the following: ====================== User Name A string that is used to identify a user; see also User Database . To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set. The hyphen should not be used as the first character of a portable user name. ====================== and in http://www.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_0... ====================== The set of characters from which portable filenames are constructed. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ - The last three characters are the period, underscore, and hyphen characters, respectively. ====================== Whether it makes sense or not - the Posix standard thus explicitely _includes_ the dot as a valid character in user names. Result: Either I missed the Posix errata, or the SuSE-supplied GNU useradd is not Posix conforming. One could even regard this a security problem... Regards, Bastian - -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ Girls are like internet domain names, the ones I like are already \ taken. Well, you can still get one from a strange country. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE93QXBlbo7EtEt1mYRArGxAJ9yDJfsCGWeIm+wdxCqrt3tGncUCACgnrQW RGyKmwsAfY8euKdDLiVIeds= =/eg4 -----END PGP SIGNATURE-----
participants (9)
-
Achim Hoffmann -
Bastian Friedrich -
Emmerich Eggler -
Jan.Trippler@t-online.de -
Lindomar C. dos Santos -
Mario Viana -
Nazif Ilker Sezdi -
Olaf Kirch -
Peer Stefan