Subject: Re: max_{login,group}len in /etc/security
To: matthew green <mrg@eterna.com.au>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 04/11/2004 20:58:51
In message <2394.1081729418@splode.eterna.com.au>, matthew green writes:
>
> In message <20040411142457.GA187@himo.salmi.ch>, Jukka Salmi writes:
> >Hi,
> >
> >what's the reason to set a maximum length for user and group names in
> >/etc/security (line 29 f. on -current)? I know it can easily be over-
> >ridden, but I wonder why it should be a security problem to have login
> >and group names with >8 chars.
>
> At least for user names, the issue is ambiguity in programs that limit
> the length -- note that utmp.h, for example, limits user names to 8
> characters.
>
> That said, I'd really like it if the that would change, but it could
> break backwards binary compatibility in a major way. (A quick grep
> shows about 40 files in /usr/src that include utmp.h -- and I didn't
> even try to look at pkgsrc.)
>
>
>how many of those also include utmpx.h? (and use it properly)
>
I didn't check. It's amusing to look at, say, 'talkd', and see what it
does. (I'll save you the trouble -- it uses source code, separately
compiled, from 'who', creating a dependency which is in no way obvious
to anyone hacking on the 'who' code.)
--Steve Bellovin, http://www.research.att.com/~smb