From gray@nxg.name Fri Oct 27 18:56:48 2017 Received: (at submit) by bugs.x2go.org; 27 Oct 2017 16:56:51 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_50,RCVD_IN_MSPIKE_H2, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 9F2315DAD1 for ; Fri, 27 Oct 2017 18:56:48 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l7wUaXuNOVjW for ; Fri, 27 Oct 2017 18:56:43 +0200 (CEST) X-Greylist: delayed 313 seconds by postgrey-1.35 at ymir.das-netzwerkteam.de; Fri, 27 Oct 2017 18:56:43 CEST Received: from smtp90.iad3a.emailsrvr.com (smtp90.iad3a.emailsrvr.com [173.203.187.90]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 265845DA81 for ; Fri, 27 Oct 2017 18:56:43 +0200 (CEST) Received: from smtp4.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp4.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id C015C587E; Fri, 27 Oct 2017 12:51:29 -0400 (EDT) X-Auth-ID: gray@nxg.name Received: by smtp4.relay.iad3a.emailsrvr.com (Authenticated sender: gray-AT-nxg.name) with ESMTPSA id 521CD58E1; Fri, 27 Oct 2017 12:51:29 -0400 (EDT) X-Sender-Id: gray@nxg.name Received: from [130.209.45.140] (ptolemy.astro.gla.ac.uk [130.209.45.140]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256) by 0.0.0.0:587 (trex/5.7.12); Fri, 27 Oct 2017 12:51:29 -0400 From: "Norman Gray" To: submit@bugs.x2go.org Subject: x2go rejects usernames starting with digits, incorrectly Date: Fri, 27 Oct 2017 17:51:27 +0100 Message-ID: <2862B49A-8FA8-4EF0-AB61-AC0B863EB3ED@nxg.name> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Content-Transfer-Encoding: quoted-printable X-Mailer: MailMate (1.9.7r5425) Package: x2goserver Version: 4.0.1.20 At present, x2goserver sanitises usernames with a regexp in x2goutils.pm = and in x2gosqlitewrapper.pl (same in both places). That's: if ($string =3D~ = /^([a-zA-Z\_][a-zA-Z0-9\_\-\.\@]{0,47}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_= [a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/) = { A username of, eg, '1234567x' fails this test, and the x2go session = fails to start. This is a valid username on CentOS (which is the OS I'm = using in this case, but CentOS is far from unique here), therefore such = a username should _not_ be rejected. I have verified that the above code is indeed the source of my login = problems, since if I hack the two files above, to have the regexp start = with [a-zA-Z0-9\_], then my users can log in without difficulty. This = hacking is obviously not a great solution. An alternative test would be to use getpwent(3). This would verify that = the proffered username is valid, absolutely authoritatively, without = making any assumptions about what is or isn't valid on the current = platform. x2go should not second-guess getpwent(3). In Perl terms, the above test could be replace with: $uid =3D getpwnam($string); if ($uid) { # username is OK } else { # user $string does not exist } Note that the test may in fact be redundant, since if this code is being = run, then the corresponding user has already logged on to the system, so = that the username has already been verified as valid and existing. Other observations: * If the system (or specifically getpwent) regards a given username = as valid, then it will be valid for calls to other local library calls. = If this were not the case, that would be a major system bug on that = platform. * POSIX/Single Unix says of the username simply "To be portable = across systems conforming to POSIX.1-2008, the value is composed of = characters from the portable filename character set. The = character should not be used as the first character of a portable user = name." (see , = paragraph 3.437) * The Debian useradd(8) page recommends something matching = /^[a-z_][a-z0-9_-]*$/, but goes on to say "On Debian, the only = constraints are that usernames must neither start with a dash ('-') nor = contain a colon (':') or a whitespace (space: ' ', end of line: '\n', = tabulation: '\t', etc.). Note that using a slash ('/') may break the = default algorithm for the definition of the user's home directory." (see = eg ) * The corresponding RedHat/CentOS manpage doesn't even include that, = and instead says only "Usernames may only be up to 32 characters long." = FreeBSD is similarly laid-back about the username. * The GNU Coreutils manual = = which explicitly acknowledges that an all-digits username is legitimate, = and describes how the coreutils resolve the potential ambiguity. * It may have been true in the past that some unixes objected to = all-digits usernames. I personally am not aware of any current unixes = which do so. * It is not an option to change the usernames ('1234567x') on this = system, since they are widely deployed in other systems. Also, they're = valid username as far as the local system is concerned. This issue was discussed on the user list a little while ago = = (that's what gave me the aha!). There, Mihai Moldovan said "That's = non-standard-compliant and you're basically on your own when doing = "funky stuff"." To be clear, I agree such usernames are less than = ideal, but I don't think they count as funky or non-compliant. The issue was discussed on the x2go-dev list more recently, starting at = Best wishes, Norman -- = Norman Gray : https://nxg.me.uk