29.10.2024 14:06, Marc Haber wrote:
On Sun, Aug 04, 2024 at 01:44:09PM +0200, Chris Hofstaedtler wrote:
On Sat, Aug 03, 2024 at 05:38:59PM +0200, Chris Hofstaedtler wrote:
We allow backslashes in adduser to cater for some samba corner
cases where a user named domain\user is needed.
I am kind of concerned that this tightening of src:shadow's allowed usr
name character ranges breaks actual use cases.
I've briefly chatted with mjt, and he thinks it is fine to restrict
backslashes.
Putting mjt in the loop: Are you aware that backslashes in user names
are a rather common thing in mixed Unix/Windows environments, where
DOMAIN\user is often mapped 1:1 into Unix user names?
I agree that \ can be restircted for tailing the user name, but I think
that we should be ready to accomodate user names containing backslashes.
Um.
The thing here is two-fold.
What I thought was about putting usernames with backslashes into
local /etc/passwd & /etc/shadow. This is at least part of shadow-utils.
It is definitely not okay to forbid users with backslashes generally.
Exactly because of this samba/windows example, - which, I think, is the
only example where backslash is used, and where it is *commonly* used
too.
Since e.g passwd itself is also from shadow-utils, and it deals with
passwd changes using pam, it should not restrict usernames with slashes.
But useradd et al, who deal with /etc/passwd /etc/shadow, should.
That's what I had in mind.
There is a slight possibility to have a domain user DOMAIN\user, *and*
to override local password for it, using this DOMAIN\user as username
in /etc/passwd and /etc/shadow. But this is a dark-grey area, and had
issues with samba for multiple versions (where having local and domain
user of the same name didn't work at all), and samba upstream actively
discourages such use, despite it actually works fine. This is what
puzzled me for a bit when zeha asked me this question. But having in
mind all the above and possible abuse of backslashes in local /etc/
files, I'd say we should not count on this.
Thanks,
/mjt
