From: "Zack Weinberg" <zack@owlfolio.org>
To: "Theo de Raadt" <deraadt@openbsd.org>,
rsbecker@nexbridge.com,
"'Alejandro Colomar (man-pages)'" <alx.manpages@gmail.com>,
'linux-man' <linux-man@vger.kernel.org>,
tech@openbsd.org, "Florian Weimer" <libc-alpha@sourceware.org>,
git@vger.kernel.org
Subject: Re: Is getpass(3) really obsolete?
Date: Fri, 29 Oct 2021 10:53:53 -0400 [thread overview]
Message-ID: <6d8642e9-71f7-4a83-9791-880d04f67d17@www.fastmail.com> (raw)
In-Reply-To: <63238.1635515736@cvs.openbsd.org>
On Fri, Oct 29, 2021, at 9:55 AM, Theo de Raadt wrote:
> <rsbecker@nexbridge.com> wrote:
>> On October 29, 2021 7:29 AM, Alejandro Colomar wrote:
>> > On 10/29/21 13:15, Alejandro Colomar wrote:
>> > > Hi,
>> > >
>> > > As the manual pages says, SUSv2 marked it as LEGACY, and POSIX doesn't
>> > > have it at all. The manual page goes further and says "This function
>> > > is obsolete. Do not use it." in its first lines.
...
> The community finally had the balls to get rid of gets(3).
>
> getpass(3) shares the same flaw, that the buffer size isn't passed.
> This has been an issue in the past
I was about to post exactly the same thing. getpass(3) is not deprecated because there's a better replacement, it's deprecated because it's _unsafe_. The glibc implementation wraps getline(3) and therefore doesn't truncate the passphrase or overflow a fixed-size buffer, no matter how long the input is, but portable code cannot rely on that. And come to think of it, using getline(3) means that prefixes of the passphrase may be left lying around in malloc's free lists.
(getpass also cannot be made thread safe, due to recycling of a static buffer, but a program in which multiple threads are racing to prompt the user for passwords would be a UX disaster anyway, so I don't think that's a critical flaw the way it is for e.g. strtok(3).)
The Linux manpage project's documentation is, as I understand it, for Linux with glibc _first_, but not _only_; it should not describe this function as not-deprecated just because glibc has patched its worst problems and doesn't offer any better API.
> readpassphrase(3) has a few too many features/extensions for my taste, but
> at least it is harder to abuse.
I am inclined to agree that readpassphrase has too many knobs, and I can't think of any legitimate present-day use for several of them, which is not a good property for an API handling security-critical data. Also, it relies on the caller to size the buffer for the passphrase, and therefore risks truncating people's passphrases.
With my libxcrypt hat on I've thought a bit about replacements for getpass. The conclusion I came to is that the easy changes are all putting lipstick on a pig, and if I was going to work on this at all I was going to design a privilege-separated authentication service that could be asked to take over a tty, read a passphrase, check it, and return just success or failure to the caller. Neither the passphrase itself, nor any strings derived from it, would ever be in the caller's address space. But this is obviously well out of scope for the C library.
zw
next prev parent reply other threads:[~2021-10-29 14:54 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-29 11:15 Alejandro Colomar
2021-10-29 11:28 ` Alejandro Colomar (man-pages)
2021-10-29 11:40 ` Ævar Arnfjörð Bjarmason
2021-10-29 12:11 ` Alejandro Colomar (man-pages)
2021-10-29 16:31 ` Joseph Myers
2021-10-30 12:24 ` Alejandro Colomar (man-pages)
2021-11-01 21:31 ` Joseph Myers
2021-10-29 12:10 ` rsbecker
2021-10-29 13:55 ` Eugene Syromyatnikov
2021-10-29 13:55 ` Theo de Raadt
2021-10-29 14:18 ` rsbecker
2021-10-29 14:21 ` Theo de Raadt
2021-10-29 14:33 ` rsbecker
2021-10-29 14:44 ` Alejandro Colomar (man-pages)
2021-10-29 15:00 ` rsbecker
2021-10-29 14:53 ` Zack Weinberg [this message]
2022-09-27 19:19 ` readpassphrase(3) in glibc, and agetpass() (Was: Is getpass(3) really obsolete?) Alejandro Colomar
2022-09-27 19:33 ` Alex Colomar
2022-09-27 20:30 ` Sam James
2022-09-27 21:00 ` Zack Weinberg
2022-09-27 22:41 ` Alejandro Colomar
2022-09-27 20:52 ` readpassphrase(3) in glibc, and agetpass() Junio C Hamano
2021-10-29 15:27 ` [PATCH] getpass.3: SYNOPSIS: Mark getpass() as [[deprecated]] Alejandro Colomar
2021-10-29 20:27 ` Is getpass(3) really obsolete? Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d8642e9-71f7-4a83-9791-880d04f67d17@www.fastmail.com \
--to=zack@owlfolio.org \
--cc=alx.manpages@gmail.com \
--cc=deraadt@openbsd.org \
--cc=git@vger.kernel.org \
--cc=libc-alpha@sourceware.org \
--cc=linux-man@vger.kernel.org \
--cc=rsbecker@nexbridge.com \
--cc=tech@openbsd.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).