[systemd-devel] Github systemd issue 6237
Michael Chapman
mike at very.puzzling.org
Thu Jul 6 03:21:03 UTC 2017
On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
>> well, it even don't look but pretend it can't while it does which is
>> the worst type of operations possible - as long as "adduser" of the
>> underlying OS accepts and create "0pointer" systemd has *no business
>> at all* to pretend it can't
>
> Then it's good the that it doesn't ;)
>
> # adduser 0pointer
>
> adduser: Please enter a username matching the regular expression configured
> via the NAME_REGEX configuration variable. Use the `--force-badname'
> option to relax this check or reconfigure NAME_REGEX.
I know you really only brought this up to counter Reindl's comment, but I
think it's important to point out that adduser's behaviour here is due to
its default configuration -- not due to any fundamental "problems" with
particular usernames. It's not clear why adduser's developers thought it
was a good default.
I guess what I'm saying is that saying "systemd should not support
usernames that start with a digit, since adduser doesn't" is problematic
for at least two reasons. First, adduser can be reconfigured by the
sysadmin to allow such usernames; and second, systemd places *fewer*
restrictions on usernames than adduser's default configuration. systemd
allows usernames containing uppercase letters and underscores, for
instance.
To summarize my thoughts on this matter, I think it's fine to restrict
usernames, but only for _very_ good reason. Specifically, we should not
justify such restrictions simply because they exist in one form or another
in other utilities. valid_user_group_name() currently disallows dots, for
instance, and while I recognize that using dots in a username can
sometimes be problematic, it is not in and of itself invalid. If other
software can't handle dots in usernames, that's their problem. libc can,
and that's all that's required to support it in order to use it in User=
on most systems.
But whether or not usernames are restricted, it's very important to alert
the sysadmin to the fact their unit file isn't being interpreted the way
they wrote it.
More information about the systemd-devel
mailing list