Bug#1014450: usernames have a 32 character limit

[Marc Haber]

Package: adduser
Version: 3.121
Severity: normal

Hi,

the useradd documentation says that a user name has a 32 character
limit. We should enforce this as well.

In useradd, this seems to apply to the UTF-8 representation of the user
name, that is, aaääääääääääääääää (two unaccented and 16 accented
characters) is too long while aaäääääääääääääää (two unaccented and 15
accented characters) is not. So putting this restriction inside our
regular expressions is not going to help. Maybe it's just ok to let
useradd enforce this? Currently this seems to work ok, but it looks like
a train wreck:

root@salida-unstable-buildd-amd64-ydvv:/srv# adduser --system abcdefghijabcdefghijabcdefghijabc
Adding system user `abcdefghijabcdefghijabcdefghijabc' (UID 101) ...
Adding new user `abcdefghijabcdefghijabcdefghijabc' (UID 101) with group `nogroup' ...
useradd: invalid user name 'abcdefghijabcdefghijabcdefghijabc': use --badname to ignore
adduser: `/usr/sbin/useradd -r -K SYS_UID_MIN=100 -K SYS_UID_MAX=999 -d /home/abcdefghijabcdefghijabcdefghijabc -g nogroup -s /usr/sbin/nologin -u 101 abcdefghijabcdefghijabcdefghijabc' returned error code 3. Exiting.
root@salida-unstable-buildd-amd64-ydvv:/srv# adduser --system abcdefghijabcdefghijabcdefghijab
Adding system user `abcdefghijabcdefghijabcdefghijab' (UID 101) ...
Adding new user `abcdefghijabcdefghijabcdefghijab' (UID 101) with group `nogroup' ...
Creating home directory `/home/abcdefghijabcdefghijabcdefghijab' ...

Greetings
Marc

-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.8-zgws1 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages adduser depends on:
ii debconf [debconf-2.0] 1.5.79
ii passwd 1:4.11.1+dfsg1-2

adduser recommends no packages.

Versions of packages adduser suggests:
ii cron 3.0pl1-144
ii liblocale-gettext-perl 1.07-4+b2
ii perl 5.34.0-4

-- debconf information excluded

[Marc Haber]

Hi,

On Wed, Jul 06, 2022 at 12:32:16PM +0200, Marc Haber wrote:
> the useradd documentation says that a user name has a 32 character
> limit. We should enforce this as well.

Matt, would you want to take a quick plunge at this as well? You're
still deeply acquained with the entire name checking stuff anyway.

Greetings
Marc

[Matt Barry]

Sure. There actually is a test for this, and it passes (ie. fails in
every instance, for a 33 character name) - I think because useradd
fails? We might as well check it though, I'll take a look.

mb

[Marc Haber]

On Wed, Jul 13, 2022 at 04:50:20PM -0400, Matt Barry wrote:
> There actually is a test for this, and it passes (ie. fails in
> every instance, for a 33 character name)

Does it also fail reasonably prettily for a < 32 character UTF-8 name
that is > 32 bytes when encoded?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

[Marc Haber]

On Wed, Jul 13, 2022 at 04:50:20PM -0400, Matt Barry wrote:

If we are ok with erroring out with a useradd error message, and the
output is not offensively ugly, I'm fine with that, and we can just
close this bug as fixed in 3.122. I am not emotional about this.

[Matt Barry]

On Wed, 2022-07-13 at 23:09 +0200, Marc Haber wrote:
> On Wed, Jul 13, 2022 at 04:50:20PM -0400, Matt Barry wrote:
> > On Wed, 2022-07-13 at 22:44 +0200, Marc Haber wrote:
> > > On Wed, Jul 06, 2022 at 12:32:16PM +0200, Marc Haber wrote:
> > > > the useradd documentation says that a user name has a 32
> > > > character
> > > > limit. We should enforce this as well.
> > >
> > > Matt, would you want to take a quick plunge at this as well?
> > > You're
> > > still deeply acquained with the entire name checking stuff
> > > anyway.
> >
> > Sure.  There actually is a test for this, and it passes (ie. fails
> > in
> > every instance, for a 33 character name) - I think because useradd
> > fails?  We might as well check it though, I'll take a look.
>
> If we are ok with erroring out with a useradd error message, and the
> output is not offensively ugly, I'm fine with that, and we can just
> close this bug as fixed in 3.122. I am not emotional about this.

I would apply that patch at some point; it isn't urgent, but it is
cleaner.

[Matt Barry]

On Wed, 2022-07-13 at 23:11 +0200, Marc Haber wrote:
> On Wed, Jul 13, 2022 at 04:50:20PM -0400, Matt Barry wrote:
> > There actually is a test for this, and it passes (ie. fails in
> > every instance, for a 33 character name)
>
> Does it also fail reasonably prettily for a < 32 character UTF-8 name
> that is > 32 bytes when encoded?

(new patch)

/h/d/adduser $ sudo adduser фффффффффффффффффффффффф
adduser: Usernames must be no more than 32 bytes in length;
note that if you are using Unicode characters, the
character
limit will be less than 32.

In the 3.121, the IEEE check will squash it.
In 3.22:

~/h/d/adduser $ sudo adduser фффффффффффффффффффффффф --allow-all-names
Allowing use of questionable username.
Adding user `фффффффффффффффффффффффф' ...
Adding new group `фффффффффффффффффффффффф' (1023) ...
groupadd: 'фффффффффффффффффффффффф' is not a valid group name
adduser: `/sbin/groupadd -g 1023 фффффффффффффффффффффффф' returned
error code 3. Exiting.

so, not ideal, but it does error.