155c9421b9
There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org> |
||
---|---|---|
.. | ||
.indent.pro | ||
addgrps.c | ||
age.c | ||
agetpass.c | ||
audit_help.c | ||
basename.c | ||
btrfs.c | ||
chkname.c | ||
chkname.h | ||
chowndir.c | ||
chowntty.c | ||
cleanup_group.c | ||
cleanup_user.c | ||
cleanup.c | ||
console.c | ||
copydir.c | ||
date_to_str.c | ||
entry.c | ||
env.c | ||
failure.c | ||
failure.h | ||
find_new_gid.c | ||
find_new_sub_gids.c | ||
find_new_sub_uids.c | ||
find_new_uid.c | ||
getdate.h | ||
getdate.y | ||
getgr_nam_gid.c | ||
getrange.c | ||
gettime.c | ||
hushed.c | ||
idmapping.c | ||
idmapping.h | ||
isexpired.c | ||
limits.c | ||
list.c | ||
log.c | ||
loginprompt.c | ||
mail.c | ||
Makefile.am | ||
motd.c | ||
myname.c | ||
obscure.c | ||
pam_pass_non_interactive.c | ||
pam_pass.c | ||
prefix_flag.c | ||
pwd2spwd.c | ||
pwd_init.c | ||
pwdcheck.c | ||
remove_tree.c | ||
rlogin.c | ||
root_flag.c | ||
salt.c | ||
setugid.c | ||
setupenv.c | ||
shell.c | ||
strtoday.c | ||
sub.c | ||
sulog.c | ||
ttytype.c | ||
tz.c | ||
ulimit.c | ||
user_busy.c | ||
utmp.c | ||
valid.c | ||
xgetgrgid.c | ||
xgetgrnam.c | ||
xgetpwnam.c | ||
xgetpwuid.c | ||
xgetspnam.c | ||
xgetXXbyYY.c | ||
xmalloc.c | ||
yesno.c |