[Pkg-xfce-devel] Bug#785237: Bug#785237: lightdm-gtk-greeter: Please remove leading spaces from user name
pi-c at arcor.de
Thu May 14 06:49:05 UTC 2015
On 05/13/2015 10:52:49 PM, Yves-Alexis Perez wrote:
> On mer., 2015-05-13 at 20:05 +0200, Andreas Schmidt wrote:
> > Package: lightdm-gtk-greeter
> > Version: 2.0.0-3
> > Severity: wishlist
> > Wouldn't it be possible to remove leading spaces from the input in
> the user
> > name field before matching user and password? Are leading spaces in
> user names
> > even allowed? If so, unconditionally removing them could cause
> issues for
> > people
> > with such user names. These might be prevented, however, if the
> test was for a
> > match of (password and username) OR (password and username without
> > spaces), rather than just (password and username).
> I'm honestly really not confident about that, that doesn't look like a
> great idea at first sight, so you'd have to justify a bit more it's
root at debian:~# adduser ' test'
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not
a dash (as defined by IEEE Std 1003.1-2001). For compatibility with
machine accounts $ is also supported at the end of the username
root at debian:~#
root at debian:~# useradd ' test'
useradd: invalid user name ' test'
root at debian:~# man useradd
It is usually recommended to only use usernames that begin with
a lower case letter or an underscore, followed by lower case letters,
digits, underscores, or dashes. They can
end with a dollar sign. In regular expression terms:
On Debian, the only constraints are that usernames must neither
start with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
colon (':'), a comma (','), or a whitespace
(space: ' ', end of line: '\n', tabulation: '\t', etc.). Note
that using a slash ('/') may break the default algorithm for the
definition of the user's home directory.
At least on Debian, it seems to be impossible to have usernames
starting with white space. I don't know about other distros, or
filesystems on different systems that are mounted into Debian. Also,
I'm not much of a programmer, so I really don't know whether there
would be implications beyond "user cannot login" (which would be
serious enough). But from my naive perspective, it seems that removing
stuff which shouldn't be there in the first place should be OK.
However, if removing leading spaces seems too radical, I would also be
happy about getting a visual warning -- similar to the hint "Caps Lock
is on" in the password field. The problem is that a single space in
front of the user name is too hard to see, as it is not really wide
enough. To know exactly why a login attempt failed (wrong user name
instead of wrong password) would be far less frustrating than poking
around in the dark.
More information about the Pkg-xfce-devel