Univention Bugzilla – Bug 56232
Remove support for all numeric UIDs / usernames in new installations
Last modified: 2024-01-31 15:39:42 CET
All numeric UIDs lead to nasty supportcases and bugs, as some client software fails to distinguish between username (LDAP: UID) and POSIX ID (LDAP: uidNumer) in these cases, see for example Bug #54537. As it is common recommendation (we added that to our documentation) to not use all numeric values as logon we should remove support for them and disallow them in new installations. There need to be a "legacy support" for environments which are upgraded where such user objects still can be created and modified.
My workaround: cat <<_EOL_ > /usr/local/share/my_username_syntax.py import re class my_username_syntax(univention.admin.syntax.simple): name = 'my_username_syntax' _re = re.compile(r'(?u)(^\w[\w -.]*\w$)|\w*$') @classmethod def parse(self, text): if isinstance(text, bytes): text = text.decode('UTF-8') if u" " in text: raise univention.admin.uexceptions.valueError(_("Spaces are not allowed in the username!")) if text.isdigit(): raise univention.admin.uexceptions.valueError(_("Usernames must not contain only numbers!")) if self._re.match(text) is not None: return text else: raise univention.admin.uexceptions.valueError(_("Username must only contain numbers, letters and dots!")) _EOL_ . /usr/share/univention-lib/ldap.sh ucs_registerLDAPExtension \ --packagename my_username \ --packageversion 1.1 \ --udm_syntax /usr/local/share/my_username_syntax.py \ --ucsversionstart 5.0-0 \ --ucsversionend 5.9-99 ucr set directory/manager/web/modules/users/user/properties/username/syntax=my_username_syntax
Legacy mode: We need a new UCR variable that is evaluated inside the syntax class (and defaults to now allow these usernames). We should set the UCR variable differently during the UCS upgrade iff the environment really needs it, i.e., already has such a username. This could theoretically lead to problems in domains where the primary allows these names after the upgrade, but a newly joined system would not (as it is still the default). These domains may create a UCR policy.
Should the same be applied to gidNumber's? I would say, yes.
(In reply to Florian Best from comment #4) > Should the same be applied to gidNumber's? > I would say, yes. you meant to disallow all numeric values in "CN" for groups? (gidNumbers are always numeric)
(In reply to Ingo Steuwer from comment #5) > (In reply to Florian Best from comment #4) > > Should the same be applied to gidNumber's? > > I would say, yes. > > you meant to disallow all numeric values in "CN" for groups? (gidNumbers are > always numeric) yes. For example if one wants to do: `chgrp "$grp" foo.txt` where grp=1234, we have the problem that this is ambiguous. And for computers the uid is always suffixed with "$" - so there we don't need this check.
(In reply to Florian Best from comment #6) > (In reply to Ingo Steuwer from comment #5) > > (In reply to Florian Best from comment #4) > > > Should the same be applied to gidNumber's? > > > I would say, yes. > > > > you meant to disallow all numeric values in "CN" for groups? (gidNumbers are > > always numeric) > > yes. For example if one wants to do: `chgrp "$grp" foo.txt` where grp=1234, > we have the problem that this is ambiguous. OK, fine for me to have the same behaviour for group names as for UIDs (new default not "numeric only", backwards compatibility by configuration). We should add an explicit "deprecation", something like "we will remove the backwards compatibility in a future release, latest in UCS 6"
OK, great. We today discussed that we need to release this for UCS 5.0-6-errata, so that mixed environments have the same behavior. The preup.sh for UCS 5.1 will be adjusted to create a UCR policy which sets the UCR variable to enable or disalbe this new behavior based on whether objects which violate the new rules exist.
During the upgrade to 5.1, the updater will check whether there are usernames or group names that only consist of numbers. If this is the case, a policy is created which sets a UCR variable. These variables determine whether it is still possible to use only numerical names. If the policies have been created and the names are later changed so that the outdated scheme is no longer in use, the admin must also remove the policies manually. The variables cannot be changed directly using UCR. This is because policies are only evaluated once per hour. To unset them and thus also remove the write protection at the same time, you can either wait or use ucr unset --ldap-policy <UCR variable>. The policies are called: - enable-legacy-username-format - enable-legacy-group-cn-format The UCR variables are called: - directory/manager/user/enable-legacy-username-format - directory/manager/group/enable-legacy-cn-format The following behaviour applies to both UCR variables: - True => The old format is used, where names consisting only of numbers are possible - False => The new format is used, where names consisting only of numbers are not possible - Not set (Only for 5.0) => The old format is used, where names consisting only of numbers are possible univention-updater.yaml e08aef657813 | feat(univention-updater): Handle purely numeric user and group names during the upgrade univention-updater (15.0.13-1) e08aef657813 | feat(univention-updater): Handle purely numeric user and group names during the upgrade univention-directory-manager-modules.yaml cdd7876dbba1 | feat(udm): Handle purely numeric user and group names during the upgrade univention-directory-manager-modules (15.0.25-4) cdd7876dbba1 | feat(udm): Handle purely numeric user and group names during the upgrade
ucs 5.0-6 - all-numerical UIDs + group names allowed by default (unchanged behavior): OK ucs 5.1/5.2 - automatic "legacy mode" that is activated during upgrades from 5.0-6 to 5.1/5.2 in case fully numerical names are detected on the system: OK - all-numerical UIDs + group names disallowed by default: OK tests: OK advisories: OK
<https://errata.software-univention.de/#/?erratum=5.0x937> <https://errata.software-univention.de/#/?erratum=5.0x940>