[Pkg-xfce-devel] Bug#785237: Bug#785237: lightdm-gtk-greeter: Please remove leading spaces from user name

Andreas Schmidt pi-c at arcor.de
Thu May 14 06:49:05 UTC 2015


On 05/13/2015 10:52:49 PM, Yves-Alexis Perez wrote:
> On mer., 2015-05-13 at 20:05 +0200, Andreas Schmidt wrote:
> > Package: lightdm-gtk-greeter
> > Version: 2.0.0-3
> > Severity: wishlist
> >
> > Wouldn't it be possible to remove leading spaces from the input in  
> the user
> > name field before matching user and password? Are leading spaces in  
> user names
> > even allowed? If so, unconditionally removing them could cause  
> issues for
> > people
> > with such user names. These might be prevented, however, if the  
> test was for a
> > match of (password and username) OR (password and username without  
> leading
> > spaces), rather than just (password and username).
> 
> I'm honestly really not confident about that, that doesn't look like a
> great idea at first sight, so you'd have to justify a bit more it's
> safe.

********
root at debian:~# adduser ' test'
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not  
start with
a dash (as defined by IEEE Std 1003.1-2001). For compatibility with  
Samba
machine accounts $ is also supported at the end of the username
root at debian:~#
root at debian:~# useradd ' test'
useradd: invalid user name ' test'
root at debian:~# man useradd
[...]
CAVEATS
[...]
        It is usually recommended to only use usernames that begin with  
a lower case letter or an underscore, followed by lower case letters,  
digits, underscores, or dashes. They can
        end with a dollar sign. In regular expression terms:  
[a-z_][a-z0-9_-]*[$]?

        On Debian, the only constraints are that usernames must neither  
start with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a  
colon (':'), a comma (','), or a whitespace
        (space: ' ', end of line: '\n', tabulation: '\t', etc.). Note  
that using a slash ('/') may break the default algorithm for the  
definition of the user's home directory.
[...]
********

At least on Debian, it seems to be impossible to have usernames  
starting with white space. I don't know about other distros, or  
filesystems on different systems that are mounted into Debian. Also,  
I'm not much of a programmer, so I really don't know whether there  
would be implications beyond "user cannot login" (which would be  
serious enough). But from my naive perspective, it seems that removing  
stuff which shouldn't be there in the first place should be OK.

However, if removing leading spaces seems too radical, I would also be  
happy about getting a visual warning -- similar to the hint "Caps Lock  
is on" in the password field. The problem is that a single space in  
front of the user name is too hard to see, as it is not really wide  
enough. To know exactly why a login attempt failed (wrong user name  
instead of wrong password) would be far less frustrating than poking  
around in the dark.

Best regards,

Andreas


More information about the Pkg-xfce-devel mailing list