Subject: Re: max_{login,group}len in /etc/security
To: Jukka Salmi <jukka-netbsd@2004.salmi.ch>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 04/11/2004 11:07:34
In message <20040411142457.GA187@himo.salmi.ch>, Jukka Salmi writes:
>Hi,
>
>what's the reason to set a maximum length for user and group names in
>/etc/security (line 29 f. on -current)? I know it can easily be over-
>ridden, but I wonder why it should be a security problem to have login
>and group names with >8 chars.
At least for user names, the issue is ambiguity in programs that limit
the length -- note that utmp.h, for example, limits user names to 8
characters.
That said, I'd really like it if the that would change, but it could
break backwards binary compatibility in a major way. (A quick grep
shows about 40 files in /usr/src that include utmp.h -- and I didn't
even try to look at pkgsrc.)
--Steve Bellovin, http://www.research.att.com/~smb