57

I want to create user accounts named after a domain name. adduser complains that the usernames need to match the NAME_REGEX regular expression.

adduser: Please enter a username matching the regular expression configured
via the NAME_REGEX configuration variable.  Use the `--force-badname'
option to relax this check or reconfigure NAME_REGEX.

I can add the users using useradd without complaint. Is there a reason that I shouldn't modify the regular expression to allow ., - and _?

What characters will cause problems and shouldn't be allowed in usernames?

This is the default NAME_REGEX.

NAME_REGEX="^[a-z][-a-z0-9]*\$"
Josh
  • 9,001
  • 27
  • 78
  • 124
Ed Haber
  • 725
  • 1
  • 8
  • 9
  • 2
    Note that `NAME_REGEX` already accepts `-` as long as it's not the first character. – Déjà vu Sep 03 '15 at 06:02
  • Why not add `.`? Consider a user named `.` or `..`. Then, `rm` that user named `..`. – Jon May 05 '17 at 19:08
  • 2
    @Jon that's not an issue since `rm` is not the command to use when deleting a user. I agree `..` is not a sensible name for similar reasons, but `rm` is not one of those. – toon81 Oct 29 '18 at 12:14

4 Answers4

40

More specifically, the POSIX ("Portable Operating System Interface for Unix") standard (IEEE Standard 1003.1 2008) states:

3.437 User Name

A string that is used to identify a user; see also User Database. To be portable across systems conforming to POSIX.1-2017, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.

3.282 Portable Filename Character Set

The set of characters from which portable filenames are constructed.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -

Any username that complies with this standard is POSIX-compliant, and ought to be safe.

Niko
  • 105
  • 3
HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 7
    While this is true it's generally frowned upon to have upper-case characters in usernames - people have enough trouble with case-sensitive passwords, and making them have to remember case in their usernames is just kicking them when they're down. (Exception: When your username convention is `ALL UPPERCASE CHARACTERS`.) – voretaq7 Feb 25 '14 at 21:28
  • 2
    As of POSIX.1-2017, those definitions have moved a bit. 3.431 User Name is now [3.437 User Name](http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_437) and 3.278 Portable Filename Character Set is now [3.282 Portable Filename Character Set](http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_282) – Chuck Wolber Sep 14 '18 at 17:50
  • 2
    @voretaq7 What I think is legit is to *preserve* case in a username, but make sign-ins case-insensitive. So a username could be CatInTheHat but sign in specifying catinthehat or catintheHAT or whatever. – StackOverflowUser Sep 06 '19 at 22:54
  • So, if we have a user `FOO` and a user `foo`, and I come around and try to sign in as "Foo"... what happens? – Tom Hundt May 30 '20 at 01:24
  • That would be an invalid username. – HopelessN00b May 30 '20 at 15:25
  • Case-folding obviously also needs to happen when checking for an already existing user. – MaxNoe Feb 15 '21 at 16:33
31

My advice to you is to follow the standard recommended by the default NAME_REGEX. You can actually put nearly anything in a user name under *NIX but you may encounter odd problems with library code that makes assumptions. Case in point:

https://web.archive.org/web/20170928165345/http://blog.endpoint.com/2008/08/on-valid-unix-usernames-and-ones-sanity.html

My question to you: do you have a lot of domain names that would collide with each other if you stripped out the unusual punctuation? For example, do you have both "QUALITY-ASSURANCE" and QUALITYASSURANCE" as domain names? If not, you could simply adopt a policy of stripping out the unusual characters and using what's left as the user name.

Also, you could use the "real name" section of the GECOS field in the /etc/passwd information to store the original, unmodified domain name, and scripts could extract it pretty easily.

Nothing4You
  • 3
  • 2
steveha
  • 1,019
  • 3
  • 11
  • 16
  • It is the running into random unexpected bugs part that I'm worried about. I can pretty easily remove the periods and still have no chance of name clashes, but the - could cause a problem. Still it is pretty unlikely. – Ed Haber Oct 09 '09 at 23:28
  • So the debian system I'm using is using a user www-data. So it looks like - should be ok to be used in usernames. – Ed Haber Oct 13 '09 at 00:36
  • Actually, that regular expression permits '-' in user names! The first letter needs to be a-z, but subsequent letters of the user names can be '-', a-z, or 0-9. – steveha Oct 13 '09 at 18:22
  • Ohh! you're right. I missed the extra - when i was looking at it. – Ed Haber Oct 14 '09 at 15:12
1

It seems that there is a reason behind this limitation.

If you try to run systemd service for scripts, it can be starting as root and not as a user. It's caused by systemd not recognize user with dot (domain.com user name for example) as valid user and runs service as root instead. Still this can b fixed already on systemd side, but still has a risk.

Also having dots in the user name creates some issues with scripts using chown, which still accepts dots as separator between user name and group name. If chown still accepts dots, there will be scripts using this notation, which will break if a user name contains a dot.

Arunas Bartisius
  • 669
  • 1
  • 6
  • 13
0

From the NAME_REGEX can be deduced that everything but a through z in upper- and lowercase and the number 0 through 9 would be bad.

wzzrd
  • 10,269
  • 2
  • 32
  • 47