MAXLOGNAME + /etc/group + chkgrp invalid character @

Chuck Swiger cswiger at
Wed Nov 9 00:48:30 UTC 2011


On Nov 8, 2011, at 4:32 PM, Dan The Man wrote:
> On Tue, 8 Nov 2011, Chuck Swiger wrote:
>> On Nov 8, 2011, at 3:47 PM, Dan The Man wrote:
>>> In the daily cron "Daily run output" email always get the following:
>>> Verifying group file syntax:
>>> chkgrp: /etc/group: line 3: '@' invalid character
>> chkgrp expects group names to consist of characters in isalnum().
> K so thats a simple fix where it does that check.

usr.sbin/chkgrp/chkgrp.c, line ~117:

       for (cp = f[0] ; *cp ; cp++) {
            if (!isalnum(*cp) && *cp != '.' && *cp != '_' && *cp != '-' &&
                (cp > f[0] || *cp != '+')) {
                warnx("%s: line %d: '%c' invalid character", gfn, n, *cp);

Add a "&& *cp != '@'" clause to the if statement.

>>> Could we modify system to support email addresses as usernames.
>> Sure, that's why FreeBSD comes with source code.
>> You can modify anything you like.  :-)
>> However, if you want to use a domain-aware login mechanism, Kerberos is in the base system, and SASL and LDAP are available in ports.  You're not going to break anything allowing "@" into the list of characters which pw(8) likes, but the flatfile passwd and group files are not hierarchical the way domain-aware network identity systems are.
>> A secondary issue is that there is rarely a one-to-one relationship between email addresses and users; many email addresses are aliases which expand either to a different username, or even to multiple users.
> Wish you would elaborate abit more here, what I have found is email addresses tend to make the best usernames, people can remember them :)
> They are unique, and you solve 2 problems right away:
> a) they can actually remember their username
> b) they aren't having to pick through a million different taken usernames
> they have to pick on their own, which is frusterating way people often do signups.

If you've got a database of millions of users, you're definitely functioning in a different realm than what /etc/passwd and /etc/group were designed for.  :-)

Anyway, the idea is that you should be able to define multiple hierarchy levels for your identity database, which NIS+, NetInfo, Kerberos, and LDAP (kinda-sorta) can support.  This lets you define an identity either at the root level, which is visible everywhere, or in subdomains from root, which means the identity is valid only within that subdomain but not in other subdomains-- and "johndoe" in one subdomain can be entirely different than "johndoe" in some other domain.  (If you want "johndoe" the same everywhere, you'd define it at root instead.)

That's just a bare-bones explanation, but a more complete one would likely approach book-length.  :-)

>> You might not care, but don't be surprised if you find that folks aren't willing to adopt this change back into FreeBSD-- I've seen a few people wanting to increase MAXLOGNAME since 2003 or so.
> I've talked to many sys admins as well, that are all modifying the code to the kernel for a decade now on every new make buildworld, would be nice to see it mainstream.

Sure, you can find examples or counterexamples if you look for 'em...


More information about the freebsd-current mailing list