getpass.3: SYNOPSIS: Mark getpass() as [[deprecated]]
Suggest readpassphrase(3bsd) as an alternative.
Some implementations of getpass(3) may suffer from the same issues
that gets(3) suffers and some more. See the long discussion in
the mailing list for more details (link at the bottom of this
commit message). I'll quote some relevant parts here:
Eugene Syromyatnikov <evgsyr@gmail.com>:
{
And the only mention of getpass() in POSIX (at least,
since the 2001's edition) indeed seems to be [1], in the
list of functions that have not been carried forward from
XSH5, the 1997 revision of “System Interfaces and Headers”
(that is, SUSv2)[2], where it is inherited from SUSv1[4]
from XPG[5] and, as Alejandro already mentioned, marked as
obsolete, per XPG3 to XPG4 migration guide[6]; the
previous, 1988, version of POSIX[3] does not mention
getpass() at all.
[1] https://pubs.opengroup.org/onlinepubs/
009695399/basedefs/xbd_chap01.html
[2] https://pubs.opengroup.org/onlinepubs/
7908799/xsh/getpass.html
[3] https://mirror.math.princeton.edu/pub/oldlinux/download/c953.pdf
[4] https://pubs.opengroup.org/onlinepubs/
9695969499/toc.pdf
[5] https://bitsavers.computerhistory.org/pdf/xOpen/X_Open_Portability_Guide_1985/xpg_2_xopen_system_v_specification_2.pdf
[6] http://archive.opengroup.org/publications/archive/CDROM/g501.pdf
}
Theo de Raadt <deraadt@openbsd.org>:
{
The community finally had the balls to get rid of gets(3).
getpass(3) shares the same flaw, that the buffer size
isn't passed. This has been an issue in the past, and
incorrectly led to readpassphrase(3).
readpassphrase(3) has a few too many features/extensions
for my taste, but at least it is harder to abuse.
}
Alejandro Colomar <alx.manpages@gmail.com>:
{
I found readpassphrase(3) in FreeBSD and OpenBSD. It is
also present in libbsd(7), which is available in most
Linux distributions. I also found it on a Mac that I have
access.
NetBSD has getpass_r(3) instead. It is not in any other
system I have access.
}
Zack Weinberg <zack@owlfolio.org>:
{
I was about to post exactly the same thing. getpass(3)
is not deprecated because there's a better replacement,
it's deprecated because it's _unsafe_. The glibc
implementation wraps getline(3) and therefore doesn't
truncate the passphrase or overflow a fixed-size buffer,
no matter how long the input is, but portable code cannot
rely on that. And come to think of it, using getline(3)
means that prefixes of the passphrase may be left lying
around in malloc's free lists.
(getpass also cannot be made thread safe, due to recycling
of a static buffer, but a program in which multiple
threads are racing to prompt the user for passwords would
be a UX disaster anyway, so I don't think that's a
critical flaw the way it is for e.g. strtok(3).)
The Linux manpage project's documentation is, as I
understand it, for Linux with glibc _first_, but not
_only_; it should not describe this function as
not-deprecated just because glibc has patched its worst
problems and doesn't offer any better API.
}
List: <https://lore.kernel.org/linux-man/
6d8642e9-71f7-4a83-9791-
880d04f67d17@www.fastmail.com/T/#t>
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
Cc: Git <git@vger.kernel.org>
Cc: Glibc <libc-alpha@sourceware.org>
Cc: OpenBSD <tech@openbsd.org>
Cc: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Cc: Benoit Lecocq <benoit@openbsd.org>
Cc: Klemens Nanni <kn@openbsd.org>
Cc: Randall <rsbecker@nexbridge.com>
Cc: Eugene Syromyatnikov <evgsyr@gmail.com>
Cc: Theo de Raadt <deraadt@openbsd.org>
Cc: Zack Weinberg <zack@owlfolio.org>
Cc: Florian Weimer <libc-alpha@sourceware.org>
projects / thirdparty / man-pages.git / commit
