tech-security: re: max_{login,group}len in /etc/security

Subject: re: max_{login,group}len in /etc/security
To: Steven M. Bellovin <smb@research.att.com>
From: matthew green <mrg@eterna.com.au>
List: tech-security
Date: 04/12/2004 10:23:38

   In message <20040411142457.GA187@himo.salmi.ch>, Jukka Salmi writes:
   >Hi,
   >
   >what's the reason to set a maximum length for user and group names in
   >/etc/security (line 29 f. on -current)? I know it can easily be over-
   >ridden, but I wonder why it should be a security problem to have login
   >and group names with >8 chars.

   At least for user names, the issue is ambiguity in programs that limit 
   the length -- note that utmp.h, for example, limits user names to 8 
   characters.

   That said, I'd really like it if the that would change, but it could 
   break backwards binary compatibility in a major way.  (A quick grep 
   shows about 40 files in /usr/src that include utmp.h -- and I didn't 
   even try to look at pkgsrc.)

how many of those also include utmpx.h?  (and use it properly)

.mrg.