diff --git a/internal/app/seal.go b/internal/app/seal.go
index 155fafb..c78add9 100644
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -15,6 +15,7 @@ import (
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/state"
@@ -133,7 +134,8 @@ func (a *app) Seal(config *fst.Config) error {
 	}
 	if seal.sys.user.username == "" {
 		seal.sys.user.username = "chronos"
-	} else if !posixUsername.MatchString(seal.sys.user.username) {
+	} else if !posixUsername.MatchString(seal.sys.user.username) ||
+		len(seal.sys.user.username) >= internal.Sysconf_SC_LOGIN_NAME_MAX() {
 		return fmsg.WrapError(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.sys.user.username))
 	}
diff --git a/internal/sysconf.go b/internal/sysconf.go
new file mode 100644
index 0000000..03b236f
--- /dev/null
+++ b/internal/sysconf.go
@@ -0,0 +1,6 @@
+package internal
+
+//#include <unistd.h>
+import "C"
+
+func Sysconf_SC_LOGIN_NAME_MAX() int { return int(C.sysconf(C._SC_LOGIN_NAME_MAX)) }