Re: Musings about Usernames in adduser and Debian

On Fri, Dec 13, 2024 at 11:01:43PM -0500, Michael Stone wrote: > On Fri, Dec 13, 2024 at 07:00:36PM +0200, Peter Pentchev wrote: > > On Fri, Dec 13, 2024 at 10:08:19AM -0500, Michael Stone wrote: > > > On Fri, Dec 13, 2024 at 12:22:38PM +0100, Marc Haber wrote: > > > > They are planning to remove t

Re: Musings about Usernames in adduser and Debian

On Fri, Dec 13, 2024 at 07:00:36PM +0200, Peter Pentchev wrote: On Fri, Dec 13, 2024 at 10:08:19AM -0500, Michael Stone wrote: On Fri, Dec 13, 2024 at 12:22:38PM +0100, Marc Haber wrote: > They are planning to remove the --badname option from useradd, making > it impossible to even try UTF-8 use

Re: Musings about Usernames in adduser and Debian

On Fri, Dec 13, 2024 at 07:00:36PM +0200, Peter Pentchev wrote: > In the context of the whole thread, are you suggesting that adduser(1) > should be changed to use something other than useradd(8) under the hood? adduser will not do that. Doing so is nonsense. Greetings Marc -- -

Re: Musings about Usernames in adduser and Debian

On Fri, Dec 13, 2024 at 07:00:36PM +0200, Peter Pentchev wrote: > On Fri, Dec 13, 2024 at 10:08:19AM -0500, Michael Stone wrote: > > On Fri, Dec 13, 2024 at 12:22:38PM +0100, Marc Haber wrote: > > > They are planning to remove the --badname option from useradd, making > > > it impossible to even tr

Re: Musings about Usernames in adduser and Debian

On Fri, Dec 13, 2024 at 10:08:19AM -0500, Michael Stone wrote: > On Fri, Dec 13, 2024 at 12:22:38PM +0100, Marc Haber wrote: > > They are planning to remove the --badname option from useradd, making > > it impossible to even try UTF-8 user names, without patching useradd. > > Or edit the passwd fi

Re: Musings about Usernames in adduser and Debian

On Fri, Dec 13, 2024 at 12:22:38PM +0100, Marc Haber wrote: They are planning to remove the --badname option from useradd, making it impossible to even try UTF-8 user names, without patching useradd. Or edit the passwd file (vipw), or use any non-passwd-file authentication mechanism, or use a

Re: Musings about Usernames in adduser and Debian

Hi, Le 2024-12-13 13:38, IOhannes m zmölnig a écrit : and *of course* all usernames have been normalized to lowercase ASCII. I just took a look at some reasonably recent government-issued IDs and it turns out the French ones normalized my name to uppercase whatever-some-clerk-had-on-their-t

Re: Musings about Usernames in adduser and Debian

Am Fr, Dez 13, 2024 at 13:38:31 +0100 schrieb IOhannes m zmölnig: Incidentally, my kid's school rolled out their school laptops this week, which of course come with Windows11 preinstalled (as a sidenote I am now looking forward to four years of "digital competence training" consisting entirely

Re: Musings about Usernames in adduser and Debian

Am 13. Dezember 2024 13:08:01 MEZ schrieb Stephan Seitz : > >I don’t need non-ASCII for my name but I would never use a system that would >forces me to rewrite my name in ASCII because it is so utterly broken in 2024. >I bet there is no problem on Windows systems. > > Stephan > Incidental

Re: Musings about Usernames in adduser and Debian

Am Do, Dez 12, 2024 at 20:21:15 +0200 schrieb Henrik Ahlgren: I don't see much problems with single-user machines, especially security related. But, think multi-user environments? Imagine, as a non-Chinese speaking Westerner, needing to chown a file to a colleague called 陈成. Even You are joking

Re: Musings about Usernames in adduser and Debian

On Thu, Dec 12, 2024 at 08:21:15PM +0200, Henrik Ahlgren wrote: > I don't see much problems with single-user machines, especially security > related. But, think multi-user environments? Imagine, as a non-Chinese > speaking Westerner, needing to chown a file to a colleague called 陈成. I would type "

Re: Musings about Usernames in adduser and Debian

On Thu, 12 Dec 2024 11:02:21 -0500, "Theodore Ts'o" wrote: >On Tue, Dec 10, 2024 at 09:24:15PM +0100, Marc Haber wrote: >> But things are moving by shadow upstream taking a user-hostile stance, >> willing to take away freedom. I must be fine with that because I >> cannot change it. But I don't nee

Re: Musings about Usernames in adduser and Debian

On Wed, 2024-12-11 at 09:11 +0100, Marc Haber wrote: > That's easy, just choose a user name for YOU that YOU can type on YOUR > keyboard. Why would anybody chose a username that is impossible to use > in their own locale? I don't see much problems with single-user machines, especially security rel

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 10, 2024 at 09:24:15PM +0100, Marc Haber wrote: > > But things are moving by shadow upstream taking a user-hostile stance, > willing to take away freedom. I must be fine with that because I > cannot change it. But I don't need to like it. As a suggestion, we might make more forward pr

Re: Musings about Usernames in adduser and Debian

On Wed, 11 Dec 2024 10:04:44 +0900, Charles Plessy wrote: >sorry if it is too naive, but is there an easy way to determine for a >given Unicode string if it can be typed from a single keboard layout or >produced by a text-to-speech system? People who want a username because >of SSH, email and su

Re: Musings about Usernames in adduser and Debian

On 2024-12-11 10:04:44 +0900 (+0900), Charles Plessy wrote: [...] > is there an easy way to determine for a given Unicode string if it > can be typed from a single keboard layout [...] Do keyboards with a "compose" key count? There's plenty of glyphs I can type which aren't depicted directly on my

Re: Musings about Usernames in adduser and Debian

Hello everybody, sorry if it is too naive, but is there an easy way to determine for a given Unicode string if it can be typed from a single keboard layout or produced by a text-to-speech system? People who want a username because of SSH, email and su will want to be able to input it. On the oth

Re: Musings about Usernames in adduser and Debian

On Tue, 10 Dec 2024 13:13:08 -0500, "Theodore Ts'o" >Yeah, good point. If the scope is going to include passwd entries >that are distributed via network protocols like LDAP, then we need to >worry about sites that support other Linux distributions beyond just >Debian --- or for that matter, sites

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 10, 2024 at 06:08:40PM +0100, Simon Josefsson wrote: > I would involve cross-distribution discussion about this though. > Perhaps the /etc/passwd APIs affect some POSIX specifications, and a > non-ASCII extension could be proposed. Yeah, good point. If the scope is going to include pa

Re: Musings about Usernames in adduser and Debian

"Theodore Ts'o" writes: > However, it should be noted that RFC 8264 also states that code points > which are not defined in whatever version of the Unicode supported by > "the application" shall be disallowed. From Debian's perspective, > though, if we are going to take a position about what ver

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 10, 2024 at 02:52:05PM +0100, Gioele Barabucci wrote: > NFC has been mentioned in a broader discussion on PRECIS/RFC8264/RFC8265. > > The IdentifierClass of RFC 8264 explicitly disallows all these "security > land mines": https://www.rfc-editor.org/rfc/rfc8264.html#section-4.2.3 > > T

Re: Musings about Usernames in adduser and Debian

On Tue, 10 Dec 2024 12:10:14 +0100, Chris Hofstaedtler wrote: >To me, the question is more, why do we have a flag that, if used, >allows you to break /etc/{passwd,shadow,group,gshadow} completely? The user-oriented solution would be to identify the things that break /etc/passwd and to forbid thes

Re: Musings about Usernames in adduser and Debian

On 10/12/24 13:47, Theodore Ts'o wrote: On Tue, Dec 03, 2024 at 09:39:03PM +0100, Gioele Barabucci wrote: NFC would solve both of these "problems": * Both U+00E9 (é) and U+0065, U+0301 are NFC-normalized to U+00E9, * Both U+2126 (Ohm sign) and U+0349 (omega) are NFC-normalized to U+0349 (omega)

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 03, 2024 at 09:39:03PM +0100, Gioele Barabucci wrote: > NFC would solve both of these "problems": > > * Both U+00E9 (é) and U+0065, U+0301 are NFC-normalized to U+00E9, > * Both U+2126 (Ohm sign) and U+0349 (omega) are NFC-normalized to U+0349 > (omega). > > What NFC alone will not so

Re: Musings about Usernames in adduser and Debian

* Marc Haber [241209 21:21]: > On Mon, 9 Dec 2024 18:08:33 +0100, Chris Hofstaedtler > wrote: > >I echo Alejandro's concerns. We should stop having the flag > >completely, not encourage using it. > > I violently disagree. But I have to accept this. > > >IOW: if we move towards better character

Re: Musings about Usernames in adduser and Debian

On Mon, 9 Dec 2024 18:08:33 +0100, Chris Hofstaedtler wrote: >I echo Alejandro's concerns. We should stop having the flag >completely, not encourage using it. I violently disagree. But I have to accept this. >IOW: if we move towards better character support, we need to do that >by allowing it al

Re: Musings about Usernames in adduser and Debian

On Mon, 9 Dec 2024 18:04:52 +0100, Chris Hofstaedtler wrote: >This was never on the table, and shadow upstream might even drop the >entire "support" for having bad names. Just for the record, I consider this a kneejerk reaction that moves the world backwards. It's sad. -- --

Re: Musings about Usernames in adduser and Debian

* Marc Haber [241205 18:06]: > P.S.: Sadly, this has gotten less than positive coverage on LWN. I > apologize for the harm this discussion has done. Marc, my thank you for collecting the info on the wiki, and starting this discussion. I'm sorry I was not able to participate more. However, I reje

Re: Musings about Usernames in adduser and Debian

* Marc Haber [241203 22:06]: > On Tue, Dec 03, 2024 at 08:41:06PM +0100, Étienne Mollier wrote: > > Marc Haber, on 2024-12-03: > > > I'll probably deprecate --allow-bad-names in favor of something that > > > doesn't use the word "bad" (suggestions appreciated). Otoh, adduser in > > > the Red Hat W

Re: Musings about Usernames in adduser and Debian

* Ben Kallus [241208 21:35]: > I second calling it "allow-unsafe-names" This was never on the table, and shadow upstream might even drop the entire "support" for having bad names. > for the following reasons: [..] > 2. There's a path traversal bug in useradd (but not adduser) that can > be tri

Re: Musings about Usernames in adduser and Debian

Hi everyone! I second calling it "allow-unsafe-names" for the following reasons: 1. Many programs assume that usernames are so inert that they can be used in shell strings without proper escaping. For example, a user named $(touch /tmp/pwn) will create /tmp/pwn upon the first launch of an interac

Re: Musings about Usernames in adduser and Debian

On Sat, Nov 23, 2024 at 02:48:10AM -0500, nick black wrote: > I recommend Chapter 7 of my free book, "Hacking the Planet with > Notcurses: A Guide to TUIs and Character Semigraphics" for the > full story (as I understand it) regarding Unicode presentation: > https://nick-black.com/htp-notcurses.pdf

Re: Musings about Usernames in adduser and Debian

Am Do, Dez 05, 2024 at 17:05:29 +0100 schrieb Marc Haber: Neither adduser nor useradd are setuid. To be fair, passwd is setuid. And I’m sure you are using it to set the password. So it has to survive an unicode user name. Stephan -- |If your life was a horse, you'd have to shoot

Re: Musings about Usernames in adduser and Debian

On Thu, 5 Dec 2024 14:34:21 +0100, Alejandro Colomar wrote: >The best mitigation for those attacks is to ban the names altogether. >IMO, setuid programs should not accept Unicode. Oh, Bugs by Code. Dangerous. We should stop producing code completely. No code, no bugs. Neither adduser nor useradd

Re: Re: Musings about Usernames in adduser and Debian

Am Do, Dez 05, 2024 at 14:34:21 +0100 schrieb Alejandro Colomar: The best mitigation for those attacks is to ban the names altogether. IMO, setuid programs should not accept Unicode. Today, not many people want to live in the past and accept simply ASCII if there name needs a bigger character

Re: Re: Musings about Usernames in adduser and Debian

Marc wrote: > On Tue, Dec 03, 2024 at 08:41:06PM +0100, Étienne Mollier wrote: > > Marc Haber, on 2024-12-03: > > > I'll probably deprecate --allow-bad-names in favor of something that > > > doesn't use the word "bad" (suggestions appreciated). Otoh, adduser in > > > the Red Hat World uses --badnam

Re: Re: Musings about Usernames in adduser and Debian

Hi Marc, > Homograph attacks would be best mitigated in software reading > /etc/passwd, alerting in their output or logs that the user name they > just printed was composed of strange alphabets. Software that reads /etc/passwd or /etc/shadow is quite sensitive, and should therefore be as simple a

Re: Musings about Usernames in adduser and Debian

On 2024-12-03 15:45, Marc Haber wrote: On Tue, Dec 03, 2024 at 10:18:46PM +0100, Gioele Barabucci wrote: Normalization is always lossy, at least in principle. Applications that employ normalization accept that tradeoff in order to gain something valuable: in this case the ability to have a Ohm

Re: Musings about Usernames in adduser and Debian

I appreciate your being careful and deliberate about this instead of rushing into a solution that brings unintended consequences. But I also appreciate your taking the time to engage with the issue instead of just ignoring it. On Tuesday, December 3, 2024 9:20:53 AM MST Marc Haber wrote: > Hi,

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 03, 2024 at 10:18:46PM +0100, Gioele Barabucci wrote: > Normalization is always lossy, at least in principle. > > Applications that employ normalization accept that tradeoff in order to gain > something valuable: in this case the ability to have a Ohm sign codepoint as > part of your u

Re: Musings about Usernames in adduser and Debian

Marc Haber, on 2024-12-03: > On Tue, Dec 03, 2024 at 08:41:06PM +0100, Étienne Mollier wrote: > > The problem is not the name, but the character set, so perhaps > > --allow-bad-characters will be better perceived. If you want to > > also avoid "bad", maybe try --allow-ambiguous-characters, or > >

Re: Musings about Usernames in adduser and Debian

On 03/12/24 22:02, Marc Haber wrote: On Tue, Dec 03, 2024 at 09:39:03PM +0100, Gioele Barabucci wrote: On 03/12/24 17:59, Marc Haber wrote: in preparation for a PRECIS future, couldn't adduser pass the usernames through NFC instead of doing no normalization? RFC 8264 5.2.4 Normalization Rule s

Re: [Pkg-shadow-devel] Musings about Usernames in adduser and Debian

On Tue, Dec 03, 2024 at 11:29:16AM -0600, Serge E. Hallyn wrote: > On Tue, Dec 03, 2024 at 05:20:53PM +0100, Marc Haber wrote: > > I'll probably deprecate --allow-bad-names in favor of something that > > doesn't use the word "bad" (suggestions appreciated). Otoh, adduser in > > the Red Hat World us

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 03, 2024 at 08:41:06PM +0100, Étienne Mollier wrote: > Marc Haber, on 2024-12-03: > > I'll probably deprecate --allow-bad-names in favor of something that > > doesn't use the word "bad" (suggestions appreciated). Otoh, adduser in > > the Red Hat World uses --badname to allow such names

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 03, 2024 at 09:39:03PM +0100, Gioele Barabucci wrote: > On 03/12/24 17:59, Marc Haber wrote: > > > in preparation for a PRECIS future, couldn't adduser pass the usernames > > > through NFC instead of doing no normalization? > > > > > > RFC 8264 5.2.4 Normalization Rule states: > > > >

Re: Musings about Usernames in adduser and Debian

On 03/12/24 17:59, Marc Haber wrote: in preparation for a PRECIS future, couldn't adduser pass the usernames through NFC instead of doing no normalization? RFC 8264 5.2.4 Normalization Rule states: In accordance with [RFC5198], Normalization Form C (NFC) is RECOMMENDED. that would sol

Re: Musings about Usernames in adduser and Debian

Hi Marc, Marc Haber, on 2024-12-03: > thank you all for your contributions to this discussion. I have now > finally understood¹ that it is not enough to try creating an UTF-8 > encoded user name and see that it correctly shows up in /etc/passwd to > declare UTF-8 support. Please forgive me for not

Re: Musings about Usernames in adduser and Debian

On Tue, Dec 03, 2024 at 05:46:00PM +0100, Gioele Barabucci wrote: > On 03/12/24 17:20, Marc Haber wrote: > > What I intend to do in adduser for the next unstable upload is: > > > > - adduser --system's user name validation will not change > > - I'll make sure that adduser doesn't accept > >

Re: Musings about Usernames in adduser and Debian

On 03/12/24 17:20, Marc Haber wrote: What I intend to do in adduser for the next unstable upload is: - adduser --system's user name validation will not change - I'll make sure that adduser doesn't accept UTF-8 user names, bringing it closer to systemd's notion of a valid user name

Re: Musings about Usernames in adduser and Debian

Hi, thank you all for your contributions to this discussion. I have now finally understood¹ that it is not enough to try creating an UTF-8 encoded user name and see that it correctly shows up in /etc/passwd to declare UTF-8 support. Please forgive me for not replying to all of you in this thread i

Re: Musings about Usernames in adduser and Debian

* Marc Haber [241202 09:43]: > On Sun, Dec 01, 2024 at 06:55:09PM -0500, nick black wrote: > > Marc Haber left as an exercise for the reader: > > > > * any upstream tool could say "bad idea" and refuse patches, > > > >requiring their long term management, > > > > > > Depending of how importa

Re: Musings about Usernames in adduser and Debian

Dnia Sun, 1 Dec 2024 23:27:09 +0100, Gioele Barabucci napisał(a): [...] > But a cursory search shows that none of the current upstreams support (or > mention) PRECIS. (It also shows that src:precis is a Java library squatting > a bit on that package name... :)) But at least it is an implementatio

Re: Musings about Usernames in adduser and Debian

On Sun, Dec 01, 2024 at 06:55:09PM -0500, nick black wrote: > Marc Haber left as an exercise for the reader: > > > * any upstream tool could say "bad idea" and refuse patches, > > >requiring their long term management, > > > > Depending of how important this tool is, we could get away without

Re: Musings about Usernames in adduser and Debian

On Mon, Dec 02, 2024 at 01:35:05AM -0500, nick black wrote: > WTF-8 extends UTF-8 to handle > invalid UTF-16 input. WTF-8 is a seriously defined encoding? I have only experienced that name as a mocking name for an UTF-8 string that erroneously went though UTF-8 encoding a second time (double-UTF-8

Re: Musings about Usernames in adduser and Debian

On 02/12/24 08:56, Marc Haber wrote: On Sun, Dec 01, 2024 at 09:16:03PM -0600, G. Branden Robinson wrote: These things are ugly, which is why I suppose they haven't caught on despite being around for decades, but I would guess that this problem space is such that there are no non-ugly solutions

Re: Musings about Usernames in adduser and Debian

On Sun, Dec 01, 2024 at 09:16:03PM -0600, G. Branden Robinson wrote: > These things are ugly, which is why I suppose they haven't caught on > despite being around for decades, but I would guess that this problem > space is such that there are no non-ugly solutions apart from "just > stick to ASCII"

Re: Musings about Usernames in adduser and Debian

nick black left as an exercise for the reader: > it's my understanding that Punycode's objective is to be "clean" > with regards to things that match against the hostname character > set, hence its pickup for IDN (where it's expected that DNS > will be traversing all kinds of network middleware). a

Re: Musings about Usernames in adduser and Debian

G. Branden Robinson left as an exercise for the reader: > It sounds like you want something isomorphic, if not identical, to, > Punycode. > > https://en.wikipedia.org/wiki/Punycode it's my understanding that Punycode's objective is to be "clean" with regards to things that match against the hostn

Re: Musings about Usernames in adduser and Debian

Hi nick (and Marc), At 2024-12-01T18:43:28-0500, nick black wrote: > Gioele Barabucci left as an exercise for the reader: > > You may have misunderstood that phrase. I was not referring to the > > fact that there are no standardized normalization forms for Unicode > > (I explicitly mention Annex 1

Re: Musings about Usernames in adduser and Debian

Gioele Barabucci left as an exercise for the reader: > You may have misunderstood that phrase. I was not referring to the fact that > there are no standardized normalization forms for Unicode (I explicitly > mention Annex 15 in [1]), but to the fact that there is no standard that > specifies which

Re: Musings about Usernames in adduser and Debian

Marc Haber left as an exercise for the reader: > > * any upstream tool could say "bad idea" and refuse patches, > >requiring their long term management, > > Depending of how important this tool is, we could get away without > patching and probably not even documenting this failure. This kind

Re: Musings about Usernames in adduser and Debian

On 28/11/24 11:28, Michal Politowski wrote: POSIX explicitly limits itself of a subset of ASCII, so it is not going to mandate any normalization form. Are there other standards (or initiatives) in this area that you know of? What about RFC 8265? "Preparation, Enforcement, and Comparison of Inte

Re: Musings about Usernames in adduser and Debian

Dnia Sun, 24 Nov 2024 11:22:18 +, Gioele Barabucci napisał(a): > On 24/11/24 10:43, nick black wrote: > > Gioele Barabucci left as an exercise for the reader: > > > On 23/11/24 09:32, Johannes Schauer Marin Rodrigues wrote: > > > > But my 2 cents on the topic are: Lets please allow more than as

Re: Musings about Usernames in adduser and Debian

Hi, On Wed, Nov 27, 2024 at 04:54:39PM +0100, Marc Haber wrote: > Can you outline an attack/failure scenario? On the failure side, I did a few tests and noticed that on Debian 12 if I create a user with for example é in their username then I can log in by SSH as long as that é is encoded the same

Re: Musings about Usernames in adduser and Debian

On Sat, Nov 23, 2024 at 01:36:48AM +0200, Peter Pentchev wrote: > POSIX says "if you want your applications to be portable, do not use any > funny characters in usernames": But we are not writing applications, we are a distribution. Anything that works with the software we distribute is fine. >

Re: Musings about Usernames in adduser and Debian

On Fri, Nov 22, 2024 at 10:01:24PM +0100, Gioele Barabucci wrote: > your case highlights another problem not mentioned in the original list > posted by Marc: comparison (and normalization). > > Some characters can be encoded in more than one way. For instance, "é" in > "émollier" could we stored a

Re: Musings about Usernames in adduser and Debian

On Fri, Nov 22, 2024 at 08:42:10PM +0100, Étienne Mollier wrote: > Marc Haber, on 2024-11-22: > > I might be naive here , but I don't have much experience with non-ascii > > names since I have the privilege of being fluent in two languages that > > use the latin alphabet. > > I am not sure whether

Re: Musings about Usernames in adduser and Debian

On Sun, Nov 24, 2024 at 02:19:51PM +, Simon McVittie wrote: > I think one good idea that we should certainly adopt from > is its separation between "strict mode" > (the naming convention that it encourages for all uses, and enforces > when a user is created via

Re: Musings about Usernames in adduser and Debian

Hi, On Sun, Nov 24, 2024 at 03:37:36PM +0100, Giuseppe Sacco wrote: > It is true that user account name and user (display) name are > different, of course. But still, when you log in, you use the user > account name to the access system; this is the text shown in file > ownership listing and almos

Re: Musings about Usernames in adduser and Debian

On Sat, Nov 23, 2024 at 12:53:52PM +0100, Gioele Barabucci wrote: > On 23/11/24 09:32, Johannes Schauer Marin Rodrigues wrote: > > But my 2 cents on the topic are: Lets please allow more than ascii in > > usernames. > > Yes please, but opt-in and behind a big red warning that says that it is not >

Re: Musings about Usernames in adduser and Debian

On Sun, Nov 24, 2024 at 06:06:23PM +0100, Philipp Kern wrote: > PS: My personal, ignorant, Latin-world opinion is that it is probably > too hard for most people to type each others' usernames if UTF-8 were to > be allowed. Why would anybody need to type somebody else's user name despite in "su"? I

Re: Musings about Usernames in adduser and Debian

On Sat, Nov 23, 2024 at 09:32:32AM +0100, Johannes Schauer Marin Rodrigues wrote: > But my 2 cents on the topic are: Lets please allow more than ascii in > usernames. I find it very uncomfortable every time I have to tell my students > that sorry, you somehow have to manage writing your name using

Re: Musings about Usernames in adduser and Debian

Hi nick, On Sat, Nov 23, 2024 at 02:48:10AM -0500, nick black wrote: > Marc Haber left as an exercise for the reader: > > (1) > > Should Debian allow UTF-8 user names in the first place or should we > > restrict names for regular users to some us-ascii near set as well? (I > > think yes, we should

Re: Musings about Usernames in adduser and Debian

On Sun, Nov 24, 2024 at 11:58:44AM +0100, Bjørn Mork wrote: > Marc Haber writes: > >> On the other hand, as long as this is admin-controlled, it doesn't > >> matter much. I could see that viewpoint, but I wonder how much latent > >> breakage would be introduced that will take years to fix in all t

Re: Musings about Usernames in adduser and Debian

On Sun Nov 24, 2024 at 4:03 PM CET, Bjørn Mork wrote: > Chris Hofstaedtler writes: > > > No. I see and type my username hundreds times a day, people use it > > to address me in written and spoken conversations with it, etc. > > This is confusing the subject even more. > > Are you sure you are talk

Re: Musings about Usernames in adduser and Debian

On Sun, 24 Nov 2024 at 15:37:36 +0100, Giuseppe Sacco wrote: > Moreover, adduser man page on Debian stable, states > that gecos fields will be removed after bookworm. No, it says the --gecos *option* will be removed after bookworm, replaced by --comment, which seems to be another name for the same

Re: Musings about Usernames in adduser and Debian

Chris Hofstaedtler writes: > No. I see and type my username hundreds times a day, people use it > to address me in written and spoken conversations with it, etc. This is confusing the subject even more. Are you sure you are talking about usernames? Or is this email local parts, chat nicknames

Re: Musings about Usernames in adduser and Debian

Hi Johannes, Johannes Schauer Marin Rodrigues ezt írta (időpont: 2024. nov. 23., Szo, 9:32): > > Quoting nick black (2024-11-23 08:48:10) > > You now have glyphs which occupy more than one column. Are your > > columnar/tabular programs prepared for that? ﷽𒁭𒐫i > > xfce-terminal renders this like t

Re: Musings about Usernames in adduser and Debian

Hi all, Il giorno dom, 24/11/2024 alle 13.20 +0100, Iustin Pop ha scritto: > [...] > I still don't understand the need for username to be very > representative of one's name. OTOH, my name can be fully written > using > ASCII, so maybe I miss something. But I've also had to use accounts > like > a

Re: Musings about Usernames in adduser and Debian

* Simon McVittie [241124 15:20]: > As a data point, in our default GNOME desktop, System Settings > (gnome-control-center) prompts for a "Full Name" first (behind the > scenes that's the full name part of the pw_gecos field), and a "Username" > second (this is the pw_name); and the default display

Re: Musings about Usernames in adduser and Debian

* Iustin Pop [241124 14:41]: > On 2024-11-24 14:37:24, Chris Hofstaedtler wrote: > > * Bjørn Mork [241124 11:45]: > > > Johannes Schauer Marin Rodrigues writes: > > > > > > > But my 2 cents on the topic are: Lets please allow more than ascii in > > > > usernames. I find it very uncomfortable ev

Re: Musings about Usernames in adduser and Debian

On Thu, 21 Nov 2024 at 23:26:48 +0100, Iustin Pop wrote: > As Richard also replied, full UTF-8 is tricky, and I think it's somewhat > misplaced to focus on the username, as opposed to gecos. Aren't most > other OSes using the "full name" as the "display name", and the username > is mostly one part

Re: Musings about Usernames in adduser and Debian

On 2024-11-24 14:37:24, Chris Hofstaedtler wrote: > * Bjørn Mork [241124 11:45]: > > Johannes Schauer Marin Rodrigues writes: > > > > > But my 2 cents on the topic are: Lets please allow more than ascii in > > > usernames. I find it very uncomfortable every time I have to tell my > > > students

Re: Musings about Usernames in adduser and Debian

* Bjørn Mork [241124 11:45]: > Johannes Schauer Marin Rodrigues writes: > > > But my 2 cents on the topic are: Lets please allow more than ascii in > > usernames. I find it very uncomfortable every time I have to tell my > > students > > that sorry, you somehow have to manage writing your name

Re: Musings about Usernames in adduser and Debian

On 2024-11-24 11:44:45, Bjørn Mork wrote: > Johannes Schauer Marin Rodrigues writes: > > > But my 2 cents on the topic are: Lets please allow more than ascii in > > usernames. I find it very uncomfortable every time I have to tell my > > students > > that sorry, you somehow have to manage writin

Re: Musings about Usernames in adduser and Debian

On 24/11/24 10:43, nick black wrote: Gioele Barabucci left as an exercise for the reader: On 23/11/24 09:32, Johannes Schauer Marin Rodrigues wrote: But my 2 cents on the topic are: Lets please allow more than ascii in usernames. potentially insecure (homographs) and at high-risk of breaking

Re: Musings about Usernames in adduser and Debian

Marc Haber writes: >> On the other hand, as long as this is admin-controlled, it doesn't >> matter much. I could see that viewpoint, but I wonder how much latent >> breakage would be introduced that will take years to fix in all tooling >> and all packages. > > Yes. Fixing breakage makes software

Re: Musings about Usernames in adduser and Debian

Johannes Schauer Marin Rodrigues writes: > But my 2 cents on the topic are: Lets please allow more than ascii in > usernames. I find it very uncomfortable every time I have to tell my students > that sorry, you somehow have to manage writing your name using American > letters > because that's al

Re: Musings about Usernames in adduser and Debian

Gioele Barabucci left as an exercise for the reader: > On 23/11/24 09:32, Johannes Schauer Marin Rodrigues wrote: > > But my 2 cents on the topic are: Lets please allow more than ascii in > > usernames. > > potentially insecure (homographs) and at > high-risk of breaking existing applications (lac

Re: Musings about Usernames in adduser and Debian

On 23/11/24 09:32, Johannes Schauer Marin Rodrigues wrote: But my 2 cents on the topic are: Lets please allow more than ascii in usernames. Yes please, but opt-in and behind a big red warning that says that it is not interoperable (outside POSIX), potentially insecure (homographs) and at high

Re: Musings about Usernames in adduser and Debian

Johannes Schauer Marin Rodrigues left as an exercise for the reader: > Quoting nick black (2024-11-23 08:48:10) > > You now have glyphs which occupy more than one column. Are your > > columnar/tabular programs prepared for that? ﷽𒁭𒐫i > > xfce-terminal renders this like this: https://mister-muffin.

Re: Musings about Usernames in adduser and Debian

Quoting nick black (2024-11-23 08:48:10) > You now have glyphs which occupy more than one column. Are your > columnar/tabular programs prepared for that? ﷽𒁭𒐫i xfce-terminal renders this like this: https://mister-muffin.de/p/4o2v.png No idea if this is correct and I'll leave the details to those w

Re: Musings about Usernames in adduser and Debian

Marc Haber left as an exercise for the reader: > (1) > Should Debian allow UTF-8 user names in the first place or should we > restrict names for regular users to some us-ascii near set as well? (I > think yes, we should) I feel strongly yes, despite POSIX admonitions (quoted elsewhere in this thre

Re: Musings about Usernames in adduser and Debian

On Fri, Nov 22, 2024 at 10:01:24PM +0100, Gioele Barabucci wrote: > On 22/11/24 20:42, Étienne Mollier wrote: > > I tried to consider what it would take to have an émollier or an > > Émollier login, and there is one little blocker : I may have to > > login from environments or keyboards lacking the

Re: Musings about Usernames in adduser and Debian

On 22/11/24 20:42, Étienne Mollier wrote: I tried to consider what it would take to have an émollier or an Émollier login, and there is one little blocker : I may have to login from environments or keyboards lacking the necessary i18n and l10n capabilities to transcribe the 'e' acute, let alone t

Re: Musings about Usernames in adduser and Debian

Hi Marc, Marc Haber, on 2024-11-22: > I might be naive here , but I don't have much experience with non-ascii > names since I have the privilege of being fluent in two languages that > use the latin alphabet. I am not sure whether I am the intended audience here, because my name is almost Ascii b

Re: Musings about Usernames in adduser and Debian

On Fri, Nov 22, 2024 at 03:29:24PM +0100, Timo Röhling wrote: > I have no experience with bidirectional attacks, but browsers mitigate > homograph attacks in IDNs by disallowing mixed alphabets such as cyrillic > and latin letters in the same name. That seems to be a reasonable > restriction for us

Re: Musings about Usernames in adduser and Debian

Hi, * Richard Lewis [2024-11-21 * 22:05]: would allowing utf-8 enable some of the abuse described at https://lwn.net/Articles/874951/ ? as usernames appear in logs and other output (and are passed to all sorts of commands), it seems a bad idea to be too permissive or to change from historic p

Re: Musings about Usernames in adduser and Debian

[Reducing the list to debian-devel. I have omitted to set Reply-To and apologize for that] On Thu, Nov 21, 2024 at 11:26:48PM +0100, Iustin Pop wrote: > On 2024-11-21 18:45:06, Marc Haber wrote: > > Should Debian allow UTF-8 user names in the first place or should we > > restrict names for regular

Re: Musings about Usernames in adduser and Debian

On Thu, Nov 21, 2024 at 10:05:49PM +, Richard Lewis wrote: > Marc Haber writes: > > > > For adduser's next release, I would like to discuss the following > > things: > > > > (1) > > Should Debian allow UTF-8 user names in the first place or should we > > restrict names for regular users to s

  1   2   >