xrmx
commented
4 years ago Better avoid only digits and whatever starts with digits: https://access.redhat.com/solutions/3103631
Open baldoalessandro opened 4 years ago
xrmx
commented
4 years ago Better avoid only digits and whatever starts with digits: https://access.redhat.com/solutions/3103631
lu-zero
commented
4 years ago POSIX
While all-numeric usernames are not forbidden by POSIX, they can introduce ambiguity. Many programs will not care - they're either manipulating a string or an integer, and will do the right thing in each case. But CLI tools receive all their inputs as strings, so they have to make assumptions about whether "1001" should be treated as an integer UID or as a string username.
chown in coreutils is one such example: it will first try to interpret a user string as a name (using getpwnam(3)) and then if that fails, try to parse it as a (decimal) number. Thus, scripts that do chown 0 filename to ensure a file is owned by root can be subverted if a user called 0 is later added to the system. To disambiguate these cases, coreutils supports prefixing user/group identifiers with + to ensure they are interpreted numerically [4]. Other tools that have trouble with numeric user names include Access Control Lists (acl(5)) and getent(1).
The problem is potentially also present for usernames that begin with digits, when interpreted by programs that are not very careful with library calls. atoi("3dogs") will return 3 with no warning. strtoul(3) is safer, but only if the endptr argument is checked after the call to ensure the whole input was consumed.So anything goes, but you should feed it to getpwnam to know what exactly is.
For UID I've found only a 16bit and 32bit versions, but for the username I wasn't able to find any clear standard. https://unix.stackexchange.com/questions/157426/what-is-the-regex-to-validate-linux-users