> I think our preference would be to disallow leading numeric digits
> entirely so that for example, 0x0 and 0o0 would be blocked as well,
> to try to prevent both user and programmatic confusion.

Disallowing leading numeric digits entirely would, unfortunately,
disable a significant class of valid usernames in conflict with
historical usage.

The main motivation in fixing this is that allowing fully-numeric
usernames means there is ambiguity in contexts that can reference both
uids and usernames and do not have strong typing.  Aside from systemd,
this is mostly about shells and invocations of various commandline
tools; and neither bash nor the tools appear to interpret 0o0 or 0x0 as
numbers:

$ id 0o0
id: ‘0o0’: no such user
$ id 0x0
id: ‘0x0’: no such user
$ getent passwd 0x0
$ getent passwd 0o0

Let's please focus on the known problem case of all-numeric usernames.
If there are other confirmed security issues with octal/hex
representations of numbers, then we should also close those, but it
needs a more precise fix than disabling leading digits.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to