On 05/13/2015 10:52:49 PM, Yves-Alexis Perez wrote:
On mer., 2015-05-13 at 20:05 +0200, Andreas Schmidt wrote:
> Package: lightdm-gtk-greeter
> Version: 2.0.0-3
> Severity: wishlist
>
> Wouldn't it be possible to remove leading spaces from the input in
the user
> name field before matching user and password? Are leading spaces in
user names
> even allowed? If so, unconditionally removing them could cause
issues for
> people
> with such user names. These might be prevented, however, if the
test was for a
> match of (password and username) OR (password and username without
leading
> spaces), rather than just (password and username).
I'm honestly really not confident about that, that doesn't look like a
great idea at first sight, so you'd have to justify a bit more it's
safe.
********
root@debian:~# adduser ' test'
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not
start with
a dash (as defined by IEEE Std 1003.1-2001). For compatibility with
Samba
machine accounts $ is also supported at the end of the username
root@debian:~#
root@debian:~# useradd ' test'
useradd: invalid user name ' test'
root@debian:~# man useradd
[...]
CAVEATS
[...]
It is usually recommended to only use usernames that begin with
a lower case letter or an underscore, followed by lower case letters,
digits, underscores, or dashes. They can
end with a dollar sign. In regular expression terms:
[a-z_][a-z0-9_-]*[$]?
On Debian, the only constraints are that usernames must neither
start with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
colon (':'), a comma (','), or a whitespace
(space: ' ', end of line: '\n', tabulation: '\t', etc.). Note
that using a slash ('/') may break the default algorithm for the
definition of the user's home directory.
[...]
********
At least on Debian, it seems to be impossible to have usernames
starting with white space. I don't know about other distros, or
filesystems on different systems that are mounted into Debian. Also,
I'm not much of a programmer, so I really don't know whether there
would be implications beyond "user cannot login" (which would be
serious enough). But from my naive perspective, it seems that removing
stuff which shouldn't be there in the first place should be OK.
However, if removing leading spaces seems too radical, I would also be
happy about getting a visual warning -- similar to the hint "Caps Lock
is on" in the password field. The problem is that a single space in
front of the user name is too hard to see, as it is not really wide
enough. To know exactly why a login attempt failed (wrong user name
instead of wrong password) would be far less frustrating than poking
around in the dark.
Best regards,
Andreas
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
