On Tue, Oct 29, 2024 at 02:32:07PM +0300, Michael Tokarev wrote: > 29.10.2024 14:06, Marc Haber wrote: > > On Sun, Aug 04, 2024 at 01:44:09PM +0200, Chris Hofstaedtler wrote: > > > On Sat, Aug 03, 2024 at 05:38:59PM +0200, Chris Hofstaedtler wrote: > > > > > We allow backslashes in adduser to cater for some samba corner > > > > > cases where a user named domain\user is needed. > > > > > > > > > > I am kind of concerned that this tightening of src:shadow's allowed > > > > > usr > > > > > name character ranges breaks actual use cases. > > > > > > I've briefly chatted with mjt, and he thinks it is fine to restrict > > > backslashes. > > > > Putting mjt in the loop: Are you aware that backslashes in user names > > are a rather common thing in mixed Unix/Windows environments, where > > DOMAIN\user is often mapped 1:1 into Unix user names? > > > > I agree that \ can be restircted for tailing the user name, but I think > > that we should be ready to accomodate user names containing backslashes.
[..] > What I thought was about putting usernames with backslashes into > local /etc/passwd & /etc/shadow. This is at least part of shadow-utils. > It is definitely not okay to forbid users with backslashes generally. > Exactly because of this samba/windows example, - which, I think, is the > only example where backslash is used, and where it is *commonly* used > too. This part is about passwd (the tool for changing passwords), yes? I don't think passwd (the tool) has a username restriction - I didn't check, however. > Since e.g passwd itself is also from shadow-utils, and it deals with > passwd changes using pam, it should not restrict usernames with slashes. > But useradd et al, who deal with /etc/passwd /etc/shadow, should. > > That's what I had in mind. So indeed the question was about useradd/adduser, and (secondary) other tools dealing with usernames in /etc/passwd and /etc/shadow. > There is a slight possibility to have a domain user DOMAIN\user, *and* > to override local password for it, using this DOMAIN\user as username > in /etc/passwd and /etc/shadow. But this is a dark-grey area, and had > issues with samba for multiple versions (where having local and domain > user of the same name didn't work at all), and samba upstream actively > discourages such use, despite it actually works fine. This is what > puzzled me for a bit when zeha asked me this question. But having in > mind all the above and possible abuse of backslashes in local /etc/ > files, I'd say we should not count on this. I'm not sure what you are saying in your last sentence, but ISTM you're saying "it probably doesnt work anyway"? Which is what I believe you told me on IRC back then. Best, Chris
