shadow/libmisc
Alex Colomar 155c9421b9 libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely
There are several issues with getpass(3).

Many implementations of it share the same issues that the infamous
gets(3).  In glibc it's not so terrible, since it's a wrapper
around getline(3).  But it still has an important bug:

If the password is long enough, getline(3) will realloc(3) memory,
and prefixes of the password will be laying around in some
deallocated memory.

See the getpass(3) manual page for more details, and especially
the commit that marked it as deprecated, which links to a long
discussion in the linux-man@ mailing list.

So, readpassphrase(3bsd) is preferrable, which is provided by
libbsd on GNU systems.  However, using readpassphrase(3) directly
is a bit verbose, so we can write our own wrapper with a simpler
interface similar to that of getpass(3).

One of the benefits of writing our own interface around
readpassphrase(3) is that we can hide there any checks that should
be done always and which would be error-prone to repeat every
time.  For example, check that there was no truncation in the
password.

Also, use malloc(3) to get the buffer, instead of using a global
buffer.  We're not using a multithreaded program (and it wouldn't
make sense to do so), but it's nice to know that the visibility of
our passwords is as limited as possible.

erase_pass() is a clean-up function that handles all clean-up
correctly, including zeroing the entire buffer, and then
free(3)ing the memory.  By using [[gnu::malloc(erase_pass)]], we
make sure that we don't leak the buffers in any case, since the
compiler will be able to enforce clean up.

Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b>
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-05 10:47:19 +01:00
..
.indent.pro Commit the last version from the PLD CVS repository. 2007-10-07 14:36:51 +00:00
addgrps.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
age.c Update licensing info 2021-12-23 19:36:50 -06:00
agetpass.c libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely 2022-12-05 10:47:19 +01:00
audit_help.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
basename.c Update licensing info 2021-12-23 19:36:50 -06:00
btrfs.c Declare read-only data const 2022-08-06 11:27:56 -05:00
chkname.c shadow: use relaxed usernames 2022-09-02 20:27:14 -05:00
chkname.h Update licensing info 2021-12-23 19:36:50 -06:00
chowndir.c Avoid races in chown_tree() 2022-08-17 12:34:01 -05:00
chowntty.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
cleanup_group.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
cleanup_user.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
cleanup.c Update licensing info 2021-12-23 19:36:50 -06:00
console.c Drop unnecessary prototype 2022-08-06 11:27:56 -05:00
copydir.c Don't test for NULL before calling free(3) 2022-09-29 16:03:53 +02:00
date_to_str.c Have a single definition of date_to_str() 2021-12-26 18:55:39 +01:00
entry.c Update licensing info 2021-12-23 19:36:50 -06:00
env.c Declare read-only data const 2022-08-06 11:27:56 -05:00
failure.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
failure.h Update licensing info 2021-12-23 19:36:50 -06:00
find_new_gid.c libmisc: minimum id check for system accounts 2022-10-06 20:09:35 -05:00
find_new_sub_gids.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
find_new_sub_uids.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
find_new_uid.c libmisc: minimum id check for system accounts 2022-10-06 20:09:35 -05:00
getdate.h Update licensing info 2021-12-23 19:36:50 -06:00
getdate.y Use isdigit(3) instead of a reimplementation of it 2021-12-29 02:41:09 +01:00
getgr_nam_gid.c Update licensing info 2021-12-23 19:36:50 -06:00
getrange.c Declare read-only parameters const 2022-08-06 11:27:56 -05:00
gettime.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
hushed.c Update licensing info 2021-12-23 19:36:50 -06:00
idmapping.c Declare read-only parameters const 2022-08-06 11:27:56 -05:00
idmapping.h Add include for uid_t 2022-08-06 11:27:56 -05:00
isexpired.c Update licensing info 2021-12-23 19:36:50 -06:00
limits.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
list.c Update licensing info 2021-12-23 19:36:50 -06:00
log.c Update licensing info 2021-12-23 19:36:50 -06:00
loginprompt.c Use 'void' instead of 'RETSIGTYPE'. Use 'sighandler_t' too. 2022-01-15 08:25:53 -06:00
mail.c Update licensing info 2021-12-23 19:36:50 -06:00
Makefile.am libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely 2022-12-05 10:47:19 +01:00
motd.c Drop register keyword 2022-08-06 11:27:56 -05:00
myname.c Update licensing info 2021-12-23 19:36:50 -06:00
obscure.c Update licensing info 2021-12-23 19:36:50 -06:00
pam_pass_non_interactive.c Declare read-only data const 2022-08-06 11:27:56 -05:00
pam_pass.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
prefix_flag.c Use strict prototypes 2022-01-03 15:09:17 +01:00
pwd2spwd.c Update licensing info 2021-12-23 19:36:50 -06:00
pwd_init.c Update licensing info 2021-12-23 19:36:50 -06:00
pwdcheck.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
remove_tree.c Avoid races in remove_tree() 2022-08-17 12:34:01 -05:00
rlogin.c Update licensing info 2021-12-23 19:36:50 -06:00
root_flag.c libmisc/root_flag: add tips for --root flag only support abspath 2022-08-06 15:04:06 -05:00
salt.c Drop superfluous const from return type 2022-08-06 11:27:56 -05:00
setugid.c Update licensing info 2021-12-23 19:36:50 -06:00
setupenv.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
shell.c Do not drop const qualifier for Basename 2022-01-03 15:09:17 +01:00
strtoday.c Declare read-only data const 2022-08-06 11:27:56 -05:00
sub.c Update licensing info 2021-12-23 19:36:50 -06:00
sulog.c Update licensing info 2021-12-23 19:36:50 -06:00
ttytype.c Update licensing info 2021-12-23 19:36:50 -06:00
tz.c Update licensing info 2021-12-23 19:36:50 -06:00
ulimit.c Update licensing info 2021-12-23 19:36:50 -06:00
user_busy.c Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
utmp.c Use libc MAX() and MIN() 2022-09-30 16:13:36 -05:00
valid.c Update licensing info 2021-12-23 19:36:50 -06:00
xgetgrgid.c Update licensing info 2021-12-23 19:36:50 -06:00
xgetgrnam.c Update licensing info 2021-12-23 19:36:50 -06:00
xgetpwnam.c Update licensing info 2021-12-23 19:36:50 -06:00
xgetpwuid.c Update licensing info 2021-12-23 19:36:50 -06:00
xgetspnam.c Update licensing info 2021-12-23 19:36:50 -06:00
xgetXXbyYY.c Handle ERANGE error correctly 2022-03-18 20:24:10 -05:00
xmalloc.c Don't test for NULL before calling free(3) 2022-09-29 16:03:53 +02:00
yesno.c Update licensing info 2021-12-23 19:36:50 -06:00