[systemd-devel] [PATCH 1/3] Add more password agent information

Lennart Poettering lennart at poettering.net
Mon Mar 24 18:06:30 PDT 2014


On Tue, 25.03.14 01:46, David Härdeman (david at hardeman.nu) wrote:

> So yes, I think they're related...as in they are independent
> implementations of the same thing :)

Would be great on settle on a common implementation... ;-)

> >Also, please use strappend() for cases like this, where we just want to
> >concatenate two strings.
> >
> >That said, I wodner, if we should escape the second part of the string,
> >just to be sure. Using cescape() here would suffice?
> 
> And risk breaking backward compatibility? (I was too lazy to check
> exactly what cescape() handles right now)...

Well, I mostly care for what is written in the drop-in snippet. The idea
is that the receiving side would unescape the thing again. 

There's cescape() and cunespace() already defined, which should make
this easy.

> The "name" (second part of the string) comes from /etc/crypttab, which
> is writeable by root only on any sane system? (otherwise it'd be dead
> easy to insert a keyscript in between which does some keylogging).

Well, it's fine if crypttab doesn't do escaping, but when we write it to
the snippet and when we read it I think we should do the escaping, since
the whole logic might end up being used in other cases where a password
is queried, too. The id used here, is after all foreign to the password
api stuff, it just passes it along, hence it should maybe just escape
the whole thing, and pass it through, and that would be it.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list