On Fri, Nov 22, 2024 at 03:29:24PM +0100, Timo Röhling wrote: > I have no experience with bidirectional attacks, but browsers mitigate > homograph attacks in IDNs by disallowing mixed alphabets such as cyrillic > and latin letters in the same name. That seems to be a reasonable > restriction for user names as well.
I am not willing to implement that myself in adduser. I will accept code and test cases written by others, but this is a thing that goes beyond my resources. Additionally, it won't help since an attacker can directly write to /etc/passwd. Homograph attacks would be best mitigated in software reading /etc/passwd, alerting in their output or logs that the user name they just printed was composed of strange alphabets. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
