account username creation regex doesn't correlate with useradd regex

[PatrikMosko]

When trying to create new account, I am limited to usernames matching this regex:
^[a-zA-Z0-9.-_]*$

Based on what useradd(8) tells me I should be able to create usernames obeying roughly this pattern:
^[a-z_][a-z0-9_-]{0,30}([a-z0-9_-]|\$)$

In reality, after quick look in shadow/libmisc/chkname.c::is_valid_name (for ubuntu/focal), the proper regex should be:
^[^-~+:,\s][^:,\s]{,32}$

---

Is there any valid reason why cockpit is more strict when it comes to username selection?

What if cockpit admin will be allowed to insert his own regex (somewhere) to set his own rules for usernames?
Same potentially applies for passwords or common passwords checks (dictionary checks).

[PatrikMosko]

btw, I do realize the regex that cockpit is using is POSIX-compliant for usernames, but question still remains the same, why its even there when useradd has its own internal vaidation check.

[garrett]

The user accounts page was made a long time ago, before I joined the team years ago, so I cannot definitively speak as to "why", but it's most likely to have an immediate check on client-side during user creation, instead of filling out all the information and have it fail when after a user account is created.

Even if that is the case, it should use the same exact checks as on server side.

And Cockpit should temporarily hold the values in the client side after it passes them to the server side, in case the user account creation fails for whatever reason, so someone doesn't have to start over from scratch if they were considered even slightly "wrong" by useradd.

This is definitely a bug if the client-side check doesn't use the server-side check (or at least the same rules).

As Cockpit runs on several Linux distros (with some possibly having different defaults) and an admin could theoretically change the rules, Cockpit should avoid having hardcoded client-side checks. However, it should definitely use client-side checks when possible for user experience reasons.

Summary: It's a bug that the check isn't the same.

[PatrikMosko]

Also, I am not very familiar with this stuff, but I know that adduser(8) for example may use /etc/adduser.conf to pull the NAME_REGEX that is used for this check, useradd most likely isnt using this file (hard guess).

I know cockpit is using useradd(8) rather than adduser(8).. maybe this information might be of relevance to you.

[garrett]

I've opened a bug for this @ #17716.

We're currently in the process of overhauling the user accounts page (current redesign @ #17604), so I'm hopeful that this will be addressed soon as well.