KPasswordEdit patch (was Re: new widgets...)
Guillaume Laurent
glaurent at telegraph-road.org
Sun Sep 29 00:54:03 BST 2002
On Saturday 28 September 2002 22:49, Malte Starostik wrote:
> On Friday 27 September 2002 10:50, Neil Stevens wrote:
> > Grr.. that's not what I meant to convey. I agree the mlock is worthless.
> > I think the const char * is just as worthless.
> >
> > I'm talking about making optional the use of a clunky, inconvenient const
> > char *, when a QString is no less safe for nearly all of KDE's users.
>
> Having used the STL excessively in the past few weeks I have to say the
> real fix would be to extend QString so that one can use a custom allocator
> like with std::string. Then this custom allocator could care for wiping the
> memory used for the password without losing the power of QString...
I'm not sure I understand this need for wiping the password. Suppose you don't
wipe it and it gets somehow written on disk, either through a core dump, or
on the swap. Then what ? If a bad guy has access to the core file, he has
access to your files, so you're screwed. If a bad guy has access to the swap,
then he's root, so you've totally screwed.
Then there's the case of someone having physical access to your disc and
trying to "re-read" what was written there after hundreds of rewrite. First
of all, I've yet to hear of an actual case of such data recovery. Second,
even if that was possible, a swap area gets written over *way more* than
"hundreds of times" throughout its lifetime. And finally, even if this is
still possible, then the bad guy has physical access to all of your files.
So it seems you're trying to lock the door of a blown up house here.
--
Guillaume.
http://www.telegraph-road.org
More information about the kde-core-devel
mailing list