Subject: Re: max_{login,group}len in /etc/security
To: Jukka Salmi <jukka-netbsd@2004.salmi.ch>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 04/11/2004 11:07:34
In message <20040411142457.GA187@himo.salmi.ch>, Jukka Salmi writes:
>Hi,
>
>what's the reason to set a maximum length for user and group names in
>/etc/security (line 29 f. on -current)? I know it can easily be over-
>ridden, but I wonder why it should be a security problem to have login
>and group names with >8 chars.

At least for user names, the issue is ambiguity in programs that limit 
the length -- note that utmp.h, for example, limits user names to 8 
characters.

That said, I'd really like it if the that would change, but it could 
break backwards binary compatibility in a major way.  (A quick grep 
shows about 40 files in /usr/src that include utmp.h -- and I didn't 
even try to look at pkgsrc.)

		--Steve Bellovin, http://www.research.att.com/~smb