* Marc Haber: > By default, adduser will verify the user against a configurable > regexp, default being the most conservative ^[a-z][a-z0-9\-]*$. The > --force-badname option will change the regexp to a hardcoded > ^[-\._A-Za-z0-9]*\$?$, allowing users to happily hang themselves. This > gives the somewhat funny situation that the default can be configured > to be less restrictive than --force-badname, but I doubt that it would > be sensible to have --force-badname turn off all checks.
The current --force-badname check is /^[A-Za-z_][-_A-Za-z0-9]*\$?$/. Wouldn't it make more sense to add the "." just to the second character class? User names starting with "-" could be truly awful. Even if a custom regular expression has been configured, you should check for "\n" and ":" in user names and reject them, just to be sure (and maybe a few more funny characters). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
