KPasswordEdit patch (was Re: new widgets...)

Pupeno pupeno at pupeno.com
Fri Sep 27 21:36:09 BST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 27 September 2002 04:48, Karl-Heinz Zimmer wrote:
> On Friday 27 September 2002 10:17, Neil Stevens wrote:
> > On Friday September 27, 2002 01:05, Simon Hausmann wrote:
> > > It is not more secure at all because the mlock()/munlock() calls
> > > will fail if the processes is not running with root privileges.
> > > Citing Waldo: Sorry, security is not optional :)
> >
> > Well, it's free software.  Anyone who wants it optional is going to make
> > it optional.  The only question is, are people going to be able to have
> > flexible security models within KDE, or will they have to fork KDE to do
> > so?
>
> OK, another question is:
>
>    Will people be able to run programs using KPasswordEdit if *not*
>    being able to run it as root?
>
> Not everybody has full control over the system she is working with so
> this change might result in some trouble in some programs...
>
> Just my 2 pence.  ;-)

If you don't have enough privileges or if something else goes wrong, mlock 
doesn't lock the memory, but the whole program it still runs, without 
problem, only in 'unsecure memory'. So, the patch won't stop anyone to use 
KPasswordEdit... it will just make it more secure when it cans.
I remember reading somewhere, that mlock wasn't forbiden to users but limited. 
While the root can mlock a lot of memory the users just some part, but I 
can't find that anymore.
The original patch also added a setPassword(const char *) method to set the 
password in the KPasswordEdit, is that a bad idea ?
Well, here I include another patch that only add setPassword() (const char * 
and const QString &) to KPasswordEdit if anyone is intrested.

- -- 
Pupeno: pupeno at pupeno.com
http://www.pupeno.com
- ---
Help the hungry children of Argentina, 
please go to (and make it your homepage):
http://www.porloschicos.com/servlet/PorLosChicos?comando=donar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9lME+Lr8z5XzmSDQRAtztAKDTXwI5NHY7xCSCuTuML6zIJT+Y1gCfSnLB
WyUg2gGjJA0/mkvw2hFuW/I=
=jIRd
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: newsetpassword.patch
Type: text/x-diff
Size: 1662 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20020927/dc95ff11/attachment.patch>


More information about the kde-core-devel mailing list