19

I followed these instructions to build Shadow, which provides the groupadd command. I am now getting an error when trying this:

$ groupadd automake1.10
groupadd: 'automake1.10' is not a valid group name

I checked alphanumeric names, and they work okay.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
tshepang
  • 64,472
  • 86
  • 223
  • 290

3 Answers3

28

See the source code, specifically libmisc/chkname.c. Shadow is pretty conservative: names must match the regexp [_a-z][-0-9_a-z]*\$? and may be at most GROUP_NAME_MAX_LENGTH characters long (configure option, default 16; user names can usually go up to 32 characters, subject to compile-time determination).

Debian relaxes the check a lot. As of squeeze, anything but whitespace and : is allowed. See bug #264879 and bug #377844.

POSIX requires allowing letters of either case, digits and ._- (like in file names). POSIX doesn't set any restriction if you don't care about portability. A number of recommended restrictions come from usage:

  • Colons, newlines and nulls are right out; you just can't use them in /etc/passwd or /etc/group.
  • An name consisting solely of digits is a bad idea — chown and chgrp are supposed to treat a digit sequence as a name if it's in the user/group database, but other applications may treat any number as a numerical id.
  • An initial - or a . in a user name is strongly not recommended, because many applications expect to be able to pass $user.$group to an external utility (e.g. chown $user.$group /path/to/file)¹. A . in a group name should cause less trouble, but I'd still recommend against it.
  • / is likely to cause trouble too, because some programs expect to be able to use user names in file names.
  • Any character that the shell would expand is probably risky.
  • Non-ASCII characters should be ok if you don't care about sharing with systems that may use different encodings.

¹ All modern implementations expect chown $user:$group, but support chown $user.$group for backward compatibility, and there are too many applications out there that pass a dot to remove that compatibility support.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Re `chown` argument: the current syntax, at least in GNU coreutils, is `user:group`, with dot being accepted only for compatibility. One can use `j.smith:j.smith`. – u1686_grawity Apr 17 '11 at 10:03
  • 1
    @grawity: It's not just GNU coreutils, but the problem isn't `chown` itself, it's existing scripts and other programs that call `chown $user.$group` instead of `chown $user:$group` — even if the `chown` implementation tries to do the right thing, some cases are intrinsically ambiguous. – Gilles 'SO- stop being evil' Apr 17 '11 at 11:58
2

If you're feeling adventurous, you can edit /etc/group directly and put in whatever group name you like. Also, this has the added bonus that when you encounter one of the problems @Gilles mentioned, you may not be able to load an editor to fix the problem, or even log in at all - giving you valuable experience in recovering a broken system!

Malvineous
  • 6,524
  • 5
  • 52
  • 76
  • 5
    Don't forget to edit `/etc/gshadow` when adding groups. Also, use `vigr(8)` rather than directly editing the files. – camh Apr 17 '11 at 05:30
  • 1
    Where available, use ```grpunconv``` and ```grpconv``` to unconvert and re-convert the group file. Similarly, use ```pwunconv``` and ```pwconv``` for the password file. These commands remove and re-create the shadow files so that direct editing of the ```/etc/group``` and ```/etc/passwd``` files can be done. When editing, also consider using the ```vigr``` and ```vipw``` utilities, if available. – Steve Amerige Jul 08 '21 at 20:22
0

An update for anyone exploring this question more recently:

@gilles-so-stop-being-evil is correct, the authoritative source is https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c, specifically the is_valid_name function, but the regex in that file has changed since the original answer was posted: It is now

[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?

with one caveat enforced in the code, that being that all-numeric names are forbidden. Length checking is enforced by is_valid_group_name, which calls is_valid_name IFF the length-check passes (likewise for useradd, via is_valid_user_name).

Peter Whittaker
  • 133
  • 6
  • Are those `[a-z]` locale dependant? As in does that include `éᴬᴭᴮɯɰ` on locales that have such characters like `grep '[a-z]'` report or is that only the ASCII ones. Why exclude the letters of other scripts? Is Linux only meant to be used by American English users? – Stéphane Chazelas Aug 14 '23 at 18:55
  • That is an excellent question: I just checked the source, and it is literally using character comparison against ranges, e.g., c => 'a' && c <= 'z', etc., which looks like ASCII only, but I am not an expert in this area. This does surprise, I admit. I wonder to what extent platform/distro maintainers replace this function...? – Peter Whittaker Aug 15 '23 at 15:49