IEEE Std 1003.1-2001 and valid characters in usernames
The following information is based on current versions of Unix/Linux operating systems.adduser and addgroup enforce conformity to IEEE Std 1003.1-2001, which allows only the following characters to appear in group and user names:
letters, digits, underscores, periods, at signs (@), dollar sign ($), and dashes.
The name may no start with a dash.
The "$" sign is allowed at the end of usernames (to conform with Samba).
IEEE Std 1003.1-2001 is one of the POSIX standards. To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set.
POSIX compliance—and compatibility with other *NIX variants is one reason that adduser limits the characters in usernames.
But the default NAME REGEX is even more restrictive than POSIX portable filename character set:
^[a-z][-a-z0-9]*$With PAM, it is possible for any system administration to set up their own rules for usernames, so compliance with IEEE Std 1003.1-2001 is technically not an issue.
However, in most environments, these standards still do apply for a good reason.
CentOS server was recently found to have username which contained whitespaces. It is almost certain that some direct editing of password and shadow files was used to create such entry. The account is perfectly usable for logins:
/etc/paswd a :x:333:333::/tmp:/bin/bash /etc/shadow a :$6$M2SivZHYmLUpWQf0$/LI4IPf/e.92Z.np1VLcIdCvQ1TmvSosEG8S/JjkypbpI9zXH/ eRFibAUog/hz1mukndOHgdngkcqbSOZFXNm0:16261:0:99999:7:::For that reason, decision was made to add new test in Perl Operations Acceptance Testing (OAT) script to catch these unusual settings.
AUDIT-WARN Home directory for "a " (/tmp) group-writable! AUDIT-WARN Home directory for "a " (/tmp) world-writable! AUDIT-INFO Username "a ": hashing-algorithm=SHA-512, salt=M2SivZHYmLUpWQf0, hashed-password-and-salt=/LI4IPf/e.92Z. np1VLcIdCvQ1TmvSosEG8S/JjkypbpI9zXH/eRFibAUog/hz1mukndOHgdngkcqbSOZFXNm0 AUDIT-PASS Correct length of encrypted password string for user "a " (86 for hashing-algorithm=SHA-512) AUDIT-WARN Username "a " contains characters non-conforming with IEEE Std 1003.1-2001 AUDIT-INFO Password expiry status for "a " Last password change : Jul 10, 2014 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7Note that standard Unix command would partially detect this problem too:
# pwck invalid user name 'a 'Linux OAT Script
Latest version of Linux Operations Acceptance Testing script are at these two URLs: