X2Go Bug report logs - #1229
x2go rejects usernames starting with digits, incorrectly

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: "Norman Gray" <gray@nxg.name>

Date: Fri, 27 Oct 2017 17:00:02 UTC

Severity: normal

Tags: pending

Found in version 4.0.1.20

Fixed in version 4.0.1.21

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 27 Oct 2017 16:56:51 +0000
From gray@nxg.name  Fri Oct 27 18:56:48 2017
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_50,RCVD_IN_MSPIKE_H2,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 9F2315DAD1
	for <submit@bugs.x2go.org>; Fri, 27 Oct 2017 18:56:48 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id l7wUaXuNOVjW for <submit@bugs.x2go.org>;
	Fri, 27 Oct 2017 18:56:43 +0200 (CEST)
X-Greylist: delayed 313 seconds by postgrey-1.35 at ymir.das-netzwerkteam.de; Fri, 27 Oct 2017 18:56:43 CEST
Received: from smtp90.iad3a.emailsrvr.com (smtp90.iad3a.emailsrvr.com [173.203.187.90])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 265845DA81
	for <submit@bugs.x2go.org>; Fri, 27 Oct 2017 18:56:43 +0200 (CEST)
Received: from smtp4.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp4.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id C015C587E;
	Fri, 27 Oct 2017 12:51:29 -0400 (EDT)
X-Auth-ID: gray@nxg.name
Received: by smtp4.relay.iad3a.emailsrvr.com (Authenticated sender: gray-AT-nxg.name) with ESMTPSA id 521CD58E1;
	Fri, 27 Oct 2017 12:51:29 -0400 (EDT)
X-Sender-Id: gray@nxg.name
Received: from [130.209.45.140] (ptolemy.astro.gla.ac.uk [130.209.45.140])
	(using TLSv1.2 with cipher DHE-RSA-AES256-SHA256)
	by 0.0.0.0:587 (trex/5.7.12);
	Fri, 27 Oct 2017 12:51:29 -0400
From: "Norman Gray" <gray@nxg.name>
To: submit@bugs.x2go.org
Subject: x2go rejects usernames starting with digits, incorrectly
Date: Fri, 27 Oct 2017 17:51:27 +0100
Message-ID: <2862B49A-8FA8-4EF0-AB61-AC0B863EB3ED@nxg.name>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Mailer: MailMate (1.9.7r5425)

Package: x2goserver
Version: 4.0.1.20

At present, x2goserver sanitises usernames with a regexp in x2goutils.pm 
and in x2gosqlitewrapper.pl (same in both places).  That's:

    if ($string =~ 
/^([a-zA-Z\_][a-zA-Z0-9\_\-\.\@]{0,47}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/) 
{

A username of, eg, '1234567x' fails this test, and the x2go session 
fails to start.  This is a valid username on CentOS (which is the OS I'm 
using in this case, but CentOS is far from unique here), therefore such 
a username should _not_ be rejected.

I have verified that the above code is indeed the source of my login 
problems, since if I hack the two files above, to have the regexp start 
with [a-zA-Z0-9\_], then my users can log in without difficulty.  This 
hacking is obviously not a great solution.

An alternative test would be to use getpwent(3).  This would verify that 
the proffered username is valid, absolutely authoritatively, without 
making any assumptions about what is or isn't valid on the current 
platform.  x2go should not second-guess getpwent(3).

In Perl terms, the above test could be replace with:

    $uid = getpwnam($string);
    if ($uid) {
        # username is OK
    } else {
        # user $string does not exist
    }

Note that the test may in fact be redundant, since if this code is being 
run, then the corresponding user has already logged on to the system, so 
that the username has already been verified as valid and existing.

Other observations:

  * If the system (or specifically getpwent) regards a given username 
as valid, then it will be valid for calls to other local library calls.  
If this were not the case, that would be a major system bug on that 
platform.

  * POSIX/Single Unix says of the username simply "To be portable 
across systems conforming to POSIX.1-2008, the value is composed of 
characters from the portable filename character set. The <hyphen-minus> 
character should not be used as the first character of a portable user 
name." (see <http://pubs.opengroup.org/onlinepubs/9699919799/>, 
paragraph 3.437)

  * The Debian useradd(8) page recommends something matching 
/^[a-z_][a-z0-9_-]*$/, but goes on to say "On Debian, the only 
constraints are that usernames must neither start with a dash ('-') nor 
contain a colon (':') or a whitespace (space: ' ', end of line: '\n', 
tabulation: '\t', etc.). Note that using a slash ('/') may break the 
default algorithm for the definition of the user's home directory." (see 
eg <https://www.unix.com/man-page/linux/8/useradd/>)

  * The corresponding RedHat/CentOS manpage doesn't even include that, 
and instead says only "Usernames may only be up to 32 characters long."  
FreeBSD is similarly laid-back about the username.

  * The GNU Coreutils manual 
<https://www.gnu.org/software/coreutils/manual/coreutils.html#Disambiguating-names-and-IDs> 
which explicitly acknowledges that an all-digits username is legitimate, 
and describes how the coreutils resolve the potential ambiguity.

  * It may have been true in the past that some unixes objected to 
all-digits usernames.  I personally am not aware of any current unixes 
which do so.

  * It is not an option to change the usernames ('1234567x') on this 
system, since they are widely deployed in other systems.  Also, they're 
valid username as far as the local system is concerned.

This issue was discussed on the user list a little while ago 
<http://lists.x2go.org/pipermail/x2go-user/2015-April/003161.html> 
(that's what gave me the aha!).  There, Mihai Moldovan said "That's 
non-standard-compliant and you're basically on your own when doing 
"funky stuff"."  To be clear, I agree such usernames are less than 
ideal, but I don't think they count as funky or non-compliant.

The issue was discussed on the x2go-dev list more recently, starting at 
<http://lists.x2go.org/pipermail/x2go-dev/2017-October/012140.html>

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Apr 20 05:46:31 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.