Update headless.adoc: Add details about allowed symbols for the username #3357
Conversation
|
If we're including guidance on the username restrictions, we should also include guidance on length: https://systemd.io/USER_NAMES/#:~:text=%24%20%2C%20i.e.%20a%20size%20limit%20of,may%20be%20a%20dollar%20character. |
I had a look at this guideline, too. But it mentions that Debian based systems have no limit for the user name length and I wanted to only add documentation only about the current restrictions on the Raspberry Pi OS. (As asked in CONTRIBUTING.md.) I'm happy to add one documentation that provides a recommendation for username length and points to systemd.io as resource for further reading. |
|
That's a fair point - however the rationale provided by the systemd.io page is pretty solid:
Given that, I could see scope for a security issue - if a user is using the It's an interesting problem - and one I'm going to set a limit on in Raspberry Pi Imager for in order to mitigate. |
|
OK, then I will add a note for the length, too. Now this discussion starts to drift away from the pull request regarding the update of the documentation. But I think it's still important do have it. Restricting the username length in the rpi-imager is a good idea. BUT: Implementing restrictions in different tools that create users leads to inconsistency as the underling problem is not solved. In my opinion the maximum username length should be restricted for every of these setup methods. What do you think? |
|
Pulling in @spl237 for the discussion about the first-boot wizard. |
I think this is a pretty nuanced area - guidance vs enforcement. I'm generally not keen on outright prohibiting something that could, in the marginal case, be acceptable - see my previous comments on Raspberry Pi Imager regarding the username 'root'. However, in this case I have to balance the enforcement cost vs the potential harm, and I conclude that the enforcement cost is fairly minimal (leaving at least 36^31 combinations, from 255^31 combinations), but the potential harm (not noticing an errant user, incorrect reporting) to be very high. I defer to @spl237 for the wizard, but I judge the cost/harm in favour of introducing the restriction. |
|
Just to make sure I understand - the suggestion is to add a restriction in the first-boot wizard to disallow usernames longer than 31 characters? I've got no problem with doing that - it's a trivial change and as Tom says, it really isn't all that restrictive... |
|
OK, so we agree on restricting the username to max 30 characters. My previous question is still open: In case a) it is still possible to create users with long names ether with the |
Given the tools (imager and wizard) will need to tell the user why their username was rejected, I think it is better to apply the restriction in the tools themselves. |
|
Agreed, this has to happen in the tooling where we can better present a help message. |
|
I created two PRs for the headless setup and the wizard and leave the rpi-image to you. |
|
Is there any reason for making this 30 characters rather than the 32 characters which has been the restriction in the wizard for several years now, and which was based on useradd's own restriction. It is also the same limit which is applied in Lite. Where has this (arbitrary) 30 character figure come from? Every spec I can find which specifies a limit specifies 32 characters, not 30. |
The PR was mainly about adding the documentation about the allowed symbols. The discussion then drifted towards the allowed length. So probably we should keep length restriction untouched and focus on only update the documentation to save users time on a headless setup. |
5 participants
As the NAME_REGEX differs on different distributions I had to connect a screen to my 'headless' setup to find the following error message:
The provided error message is clear and helps to fix this.
As finding the error message on a real headless setup is not that strait forward I hope this helps to avoid troubleshooting in the future.