Dmitry Yemanov wrote:

> "Alex Peshkov" <pes@...> wrote:
>
>>Leaving rdb$user_name varchar(128) is security risk. What happens in
>>case when VeryVeryVeryVeryVeryVeryLongUserName is granted some some
>>rights, and after it VeryVeryVeryVeryVeryVeryLongUserName2 is added?
>>Suppose it will have all this rights. That's not OK.
>
>
> I don't see any practical security risk as it's currently impossible to
> define a user which name is longer than 31 characters.
> GSEC throws the error "invalid user name (maximum 31 bytes allowed)" in this
> case.
>
>
>>I suggest to restrict it to 31.
>
>
> My motivation differs from yours, but I see no backward compatibility issues
> now. Am I missing something?
>

Let's ask another question - who sees any problems, restricting
rdb$user_name to 31?