RE: Is getpass(3) really obsolete?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On October 29, 2021 10:45 AM, Alejandro Colomar wrote:
> On 10/29/21 16:33, rsbecker@xxxxxxxxxxxxx wrote:
> > October 29, 2031 10:21 AM, Theo de Raadt will write:
> >> <rsbecker@xxxxxxxxxxxxx> wrote:
> >>
> >>>>> getpass() is obsolete in POSIX.2. However, some platforms still
> >>>>> are on
> >>> POSIX.1,
> >>>> so replacing it instead of providing a configure detection/switch
> >>>> for it
> >>> might
> >>>> cause issues.
> >>>>
> >>>>
> >>>> The community finally had the balls to get rid of gets(3).
> >>>>
> >>>> getpass(3) shares the same flaw, that the buffer size isn't passed.
> >>>> This has been an issue in the past, and incorrectly led to
> >>> readpassphrase(3)
> 
> That seems a good reason to keep the "Do not use it." note in the manual page.
> I think I'll add a recommendation for readpassphrase(3bsd) for the moment
> which is the only alternative available in Linux.
> 
> >>>>
> >>>> readpassphrase(3) has a few too many features/extensions for my
> >>>> taste, but
> >>> at
> >>>> least it is harder to abuse.
> >>>
> >>> readpassphrase is not generally supported. This will break builds on
> >>> many platforms.
> I found readpassphrase(3) in FreeBSD and OpenBSD.
> It is also present in libbsd(7), which is available in most Linux distributions.
> I also found it on a Mac that I have access.
> 
> NetBSD has getpass_r(3) instead.  It is not in any other system I have access.
> 
> 
> >>
> >> Of course moving forward takes a long time.  If a better API is supplied then
> >> there is a choice in 10 years.  If a better API is not supplied, then 10 years
> from
> >> now this conversation can get a reply.
> >
> > I checked the API 10 years from now (check the above date) at it's still not
> there 😉 In the meantime, compatibility is important. I checked the latest
> release (last week's) on my platform and readpassphrase() is not available. Let's
> please put a compatibility layer in.
> >
> libbsd(7) is probably the compatibility layer that you're looking for.
> What system are you on?
> 
> <https://libbsd.freedesktop.org/wiki/>

I am on two variants (x86 and ia64) of HPE NonStop with current operating systems - and I do the build/test for git and OpenSSL. getpass() an alias to getpass2() but the other procs are not present. If this is going into git, I would suggest putting something into compat.c to abstract out the call. If it's there, we can handle it on a platform-by-platform basis.

Thanks,
Randall




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux