OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Emmerich Eggler (emm_at_eggler.ch)
Date: Thu Nov 21 2002 - 04:54:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Am Donnerstag, 21. November 2002 11:41 schrieb Olaf Kirch:
    > On Thu, Nov 21, 2002 at 10:21:01AM +0100, Emmerich Eggler wrote:
    > > > file" ? Does the . belong to the username or is it the username-group
    > > > delimiter?
    > >
    > > Chown is a userland program that does (stupidly) check this, but the
    > > kernel doesn't care about chown-syntax.
    >
    > User names are purely a user land feature too. The kernel doesn't care
    > about user names.
    >
    > > Can you elaborate on this? I just added a user called "me.too" on a SuSE
    > > 8.1 by editing /etc/passwd and /etc/shadow and su'ed to this user. I'd
    > > say, it still works and works as expected ;-)
    >
    > Of course, you can add almost anything to /etc/passwd, as long your
    > user name doesn't contain a colon. But what is "works as expected"?
    > Did you run a comprehensive test suite over all 5000 packages or so
    > that come with SuSE Linux? If so, please talk to our Q&A department,
    > I'm sure they'll be very interested :)

    *grin* No, I didn't, of course.

    > There are certain conventions in the Unix world, and while it's hard to
    > justify them in detail it's a good idea to adhere to them nevertheless.

    I agree: but we're on thin ice here. We can hardly know all the established
    conventions and therefor follow them. Again: my position is: if a dot is a
    valid character for a username, I should be able to use it. If it is wrong,
    the system __itself__ should consider this account as invalid (not any of the
    userland programs, where other programs and the kernel happily accept such
    names). Actually, we could have found a desing flaw of UNIX like systems. ;-)

    > You can add a user name of ";-)" to /etc/passwd and that may even work
    > for a surprising number of applications - but there will be the odd
    > application that was coded with the assumption that if it's not
    > alphanumerics, it's not a user name.

    sic (design flaw).

    Bye
    Emmerich

    > Olaf 

    -- 
Emmerich Eggler
Eggler Communications
Wannerstrasse 3/39
CH-8045 Zürich
Fon:    01  - 463 43 73
Mobile: 079 - 438 75 11

    -- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here