In message <2394.1081729418@splode.eterna.com.au>, matthew green writes:
>
>   In message <20040411142457.GA187@himo.salmi.ch>, Jukka Salmi writes:
>   >Hi,
>   >
>   >what's the reason to set a maximum length for user and group names in
>   >/etc/security (line 29 f. on -current)? I know it can easily be over-
>   >ridden, but I wonder why it should be a security problem to have login
>   >and group names with >8 chars.
>   
>   At least for user names, the issue is ambiguity in programs that limit 
>   the length -- note that utmp.h, for example, limits user names to 8 
>   characters.
>   
>   That said, I'd really like it if the that would change, but it could 
>   break backwards binary compatibility in a major way.  (A quick grep 
>   shows about 40 files in /usr/src that include utmp.h -- and I didn't 
>   even try to look at pkgsrc.)
>
>
>how many of those also include utmpx.h?  (and use it properly)
>

I didn't check.  It's amusing to look at, say, 'talkd', and see what it 
does.  (I'll save you the trouble -- it uses source code, separately 
compiled, from 'who', creating a dependency which is in no way obvious 
to anyone hacking on the 'who' code.)

		--Steve Bellovin, http://www.research.att.com/~smb