What characters should I use or not use in usernames on Linux?

Question

I want to create user accounts named after a domain name. adduser complains that the usernames need to match the NAME_REGEX regular expression.

adduser: Please enter a username matching the regular expression configured
via the NAME_REGEX configuration variable.  Use the `--force-badname'
option to relax this check or reconfigure NAME_REGEX.

I can add the users using useradd without complaint. Is there a reason that I shouldn't modify the regular expression to allow ., - and _?

What characters will cause problems and shouldn't be allowed in usernames?

This is the default NAME_REGEX.

NAME_REGEX="^[a-z][-a-z0-9]*\$"

Note that NAME_REGEX already accepts - as long as it's not the first character. — Déjà vu, Sep 03 '15 at 06:02
Why not add .?
Consider a user named . or ... Then, rm that user named ... — Jon, May 05 '17 at 19:08
@Jon that's not an issue since rm is not the command to use when deleting a user. I agree .. is not a sensible name for similar reasons, but rm is not one of those. — toon81, Oct 29 '18 at 12:14

score 44 · Answer 1 · edited Aug 14 '20 at 10:54

44

More specifically, the POSIX ("Portable Operating System Interface for Unix") standard (IEEE Standard 1003.1 2008) states:

3.437 User Name

A string that is used to identify a user; see also User Database. To be portable across systems conforming to POSIX.1-2017, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.

3.282 Portable Filename Character Set

The set of characters from which portable filenames are constructed.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -

Any username that complies with this standard is POSIX-compliant, and ought to be safe.

edited Aug 14 '20 at 10:54

Niko

109

answered Feb 25 '14 at 21:21

HopelessN00b

53,954

7

While this is true it's generally frowned upon to have upper-case characters in usernames - people have enough trouble with case-sensitive passwords, and making them have to remember case in their usernames is just kicking them when they're down. (Exception: When your username convention is ALL UPPERCASE CHARACTERS.) – voretaq7 Feb 25 '14 at 21:28
2

As of POSIX.1-2017, those definitions have moved a bit.
3.431 User Name is now 3.437 User Name and 3.278 Portable Filename Character Set is now 3.282 Portable Filename Character Set
– Chuck Wolber Sep 14 '18 at 17:50
2

@voretaq7 What I think is legit is to preserve case in a username, but make sign-ins case-insensitive. So a username could be CatInTheHat but sign in specifying catinthehat or catintheHAT or whatever. – StackOverflowUser Sep 06 '19 at 22:54
So, if we have a user FOO and a user foo, and I come around and try to sign in as "Foo"... what happens? – Tom Hundt May 30 '20 at 01:24
That would be an invalid username. – HopelessN00b May 30 '20 at 15:25
Case-folding obviously also needs to happen when checking for an already existing user. – MaxNoe Feb 15 '21 at 16:33
Case folding would be a bad thing. This is from the time when you had terminals with all uppercase and no lower case characters. So you would not be able to distinguish between upper case and lower case user name. So the rule of thumb is user name (and group name) should be maximum 8 characters long, and only lower case characters. Start with a character and then also allow - and digits. But yes, you can have a ., but that would be a problem for chown(1), for instance, as it uses . to separate user name and group name. – Anders Nov 21 '23 at 13:59
There are other troublesome characters, like :. And why, look at man page passwd(5) and shadow(5). – Anders Nov 21 '23 at 14:19

score 32 · Accepted Answer · edited May 08 '22 at 15:14

32

My advice to you is to follow the standard recommended by the default NAME_REGEX. You can actually put nearly anything in a user name under *NIX but you may encounter odd problems with library code that makes assumptions. Case in point:

https://web.archive.org/web/20170928165345/http://blog.endpoint.com/2008/08/on-valid-unix-usernames-and-ones-sanity.html

My question to you: do you have a lot of domain names that would collide with each other if you stripped out the unusual punctuation? For example, do you have both "QUALITY-ASSURANCE" and QUALITYASSURANCE" as domain names? If not, you could simply adopt a policy of stripping out the unusual characters and using what's left as the user name.

Also, you could use the "real name" section of the GECOS field in the /etc/passwd information to store the original, unmodified domain name, and scripts could extract it pretty easily.

edited May 08 '22 at 15:14

Nothing4You

3

answered Oct 09 '09 at 20:57

steveha

1,029

It is the running into random unexpected bugs part that I'm worried about. I can pretty easily remove the periods and still have no chance of name clashes, but the - could cause a problem. Still it is pretty unlikely. – Ed Haber Oct 09 '09 at 23:28
So the debian system I'm using is using a user www-data. So it looks like - should be ok to be used in usernames. – Ed Haber Oct 13 '09 at 00:36
1

Actually, that regular expression permits '-' in user names! The first letter needs to be a-z, but subsequent letters of the user names can be '-', a-z, or 0-9. – steveha Oct 13 '09 at 18:22
Ohh! you're right. I missed the extra - when i was looking at it. – Ed Haber Oct 14 '09 at 15:12

Arunas Bart · Answer 3 · 2023-11-21T14:36:17.787

2

It seems that there is a reason behind this limitation.

If you try to run systemd(1) service for scripts, it can be starting as root and not as an ordinary user. It's caused by systemd not recognize user with dot (domain.com user name for example) as valid user and runs service as root instead. Still this can be already fixed on systemd side, but still has a risk.

Also having dots in the user name creates some issues with scripts using chown(1), which accepts dots as separator between user name and group name, see man page for chown(1) on the system, to identify is it legacy or modernized version. In older systems, there could be scripts using this notation, which will break if a user name contains a dot.

edited Nov 21 '23 at 14:36

answered Dec 08 '21 at 09:02

Arunas Bart

719

The chown(1) argument that is separate user and group names with a . is valid.
But there are some rules of thumb that you also should apply. Like many programs supposes that the user name have maximum length of 8 characters. You can have longer names, but you should not. Also login names usually are restricted to lower case characters. But you still can have upper case characters in user namn.

Same applies to group names.
– Anders Nov 21 '23 at 13:48
1

This is historical issue. Previous versions of the chown utility used the dot (".") character to distinguish the group name. This has been changed to be a colon (":") character, so that user and group names may contain the dot character. – Arunas Bart Nov 21 '23 at 14:32

wzzrd · Answer 4 · 2009-10-09T21:49:52.770

0

From the NAME_REGEX can be deduced that everything but a through z in upper- and lowercase and the number 0 through 9 would be bad.

edited Oct 09 '09 at 21:49

answered Oct 09 '09 at 20:24

wzzrd

10,479

The word you're looking for is "deduced". – wfaulk Oct 09 '09 at 20:51
2

look at the regex again, - is also accepted (just not as the first character.) Also note that by default uppercase is not accepted (there is no g flag, nor is A-Z included in theNAME_REGEX regex provided by the OP. NAME_REGEX="^[a-z][-a-z0-9]*\$" – SherylHohman May 10 '18 at 00:03
2

@SherylHohman You actually meant "there is no i flag...", I suppose. – Jens Moser Jul 10 '20 at 13:15
1

@JensMoser, lol, yes I did. Thanks. – SherylHohman Jul 10 '20 at 16:33

What characters should I use or not use in usernames on Linux?

4 Answers4

Linked

Related