From 62b38a6765917cf00fcb4661b014582a952869ee Mon Sep 17 00:00:00 2001 From: DTB Date: Thu, 18 Apr 2024 10:03:02 -0600 Subject: [PATCH] peek(1): strip down to bare essentials, rewrite man page to match --- docs/peek.1 | 82 ++++++++++++++++++----------------------------------- src/peek.c | 72 +++++++++++++++++++--------------------------- 2 files changed, 57 insertions(+), 97 deletions(-) diff --git a/docs/peek.1 b/docs/peek.1 index 21c5069..e73a702 100644 --- a/docs/peek.1 +++ b/docs/peek.1 @@ -12,52 +12,17 @@ peek \(en read from standard input, furtively .SH SYNOPSIS peek -.RB ( -1enot ) -.RB ( -p -.RB [ program -.RB [ arguments... ]]) +.RB ( -i ) .SH DESCRIPTION -Peek reads input from standard input with terminal echo disabled, which may be -useful to prevent secrets being spied upon by adversaries watching a user's -screen. +Peek reads input from standard input with terminal echo disabled. .SH OPTIONS -.B -1 +.B -i .RS -Limits input to a single line (stopping when the newline character is read). -.RE - -.B -e -.RS -Configures peek to output to standard error. -.RE - -.B -n -.RS -Prints ("iNcludes") the terminating character in outputs. This is nonsensical -if not combined with the -.B -1 -option. -.RE - -.B -o -.RS -Configures peek to output to standard output. -.RE - -.B -p -.RS -Configures peek to pipe output to an executed child program, e.g. a password -hashing utility. This is provided as a convenience and to avoid potential -insecurities resulting from programmer error in scripts. -.RE - -.B -t -.RS -Makes peek exit if not run within a terminal. +Allows input to come from sources other than terminals (i.e. a pipe). .RE .SH DIAGNOSTICS @@ -70,36 +35,45 @@ still usable after premature termination; if the signal can't be handled, it prints an error message and continues. If peek is interrupted, it exits unsuccessfully, without an error message. +.SH RATIONALE + +This tool was originally written to accept passwords in shell scripts, as an +extremely simple alternative to the GNU Privacy Guard project's pinentry(1). +Accepting input without showing what is being typed is useful when keying in +secrets in public settings or places with installed surveillance cameras. + .SH BUGS -Accepting secrets in shell scripts is not adviseable in any context. +This does nothing to prevent others seeing the keyboard being used to input +secrets or mask the sound of typing. Audio or video recordings of typing can be +used to determine what was input without needing to see the characters appear +on the screen. -If used in a safety-critical application it must be ensured that the -environment with which peek is used is not compromised. +Accepting secrets in shell scripts is probably not adviseable. On systems that support it, the ioctl(2) command TIOCSTI can be used to insert characters into the standard input going to peek. This doesn't allow snooping but can be used for general mischief. -Peek will happily run without outputs, slurping input and doing nothing with -it. - .SH EXAMPLES -This is a command line for POSIX sh(1), using POSIX env(1) to discard the -environment except for PATH, and htpassword(1) from Apache's utilities to hash -the input with the bcrypt algorithm, printing the resulting hash: +This is an sh(1p) command line that hashes a given password. It uses head(1p) +to only accept one line of input, xargs(1p) and printf(1p) to strip the +trailing newline, htpasswd(1) from Apache's utilities to hash the input with +the bcrypt algorithm, and cut(1p) to print only the resulting hash: .RS -.R $ env -i PATH="$PATH" peek -1tp htpasswd -nBi _ | cut -d : -f 2 +.R $ peek | head -n 1 | xargs printf '%s' | htpasswd -nBi _ | cut -d : -f 2 .RE -This is a POSIX sh(1) command line that lets a user blindly write into a text -file, only able to see written lines. Some writers have the habit of -prematurely revising their work and use tools like this to prevent it: +This is an sh(1p) command line that lets a user blindly write into a text file, +only able to see written lines. Some writers have the habit of prematurely +revising their work and use tools like this to prevent it. It uses mm(1) to +pipe the output of peek to both the standard error and the regular file +writing.txt. .RS -.R $ echo Input ^D to quit. && peek -eot >writing.txt +.R $ echo Input ^D to quit. && peek | mm -eo - >writing.txt .RE .SH AUTHOR @@ -113,4 +87,4 @@ Copyright (c) 2023-2024 DTB. License AGPLv3+: GNU AGPL version 3 or later .SH SEE ALSO -env(1), ioctl(2), ioctl_tty(2), read(1), sh(1) +ioctl(2), ioctl_tty(2), read(1), sh(1) diff --git a/src/peek.c b/src/peek.c index 277401c..67d0a42 100644 --- a/src/peek.c +++ b/src/peek.c @@ -17,75 +17,66 @@ */ #include /* sigaction(2), signal(2), struct sigaction, SIGINT */ -#include /* fclose(3), fdopen(3), fprintf(3), getc(3), perror(3), - * putc(3), stderr, stdin, stdout, EOF, NULL */ -#include /* exit(3), size_t, EXIT_FAILURE */ -#include /* strerror(3) */ +#include /* fprintf(3), fgetc(3), perror(3), fputc(3), stderr, stdin, + * stdout, EOF, NULL */ +#include /* exit(3), EXIT_FAILURE */ #if !defined EX_OK || !defined EX_OSERR || !defined EX_USAGE # include #endif #include /* tcgetattr(3), tcsetattr(3), struct termios, ECHO */ #include /* getopt(3), isatty(3), STDIN_FILENO */ -static int oserr(char *s){ perror(s); return EX_OSERR; } - static char *program_name = "peek"; -static int usage(char *s){ - fprintf(stderr, "Usage: %s (-1enot) (-p [program [arguments...]])\n", - s == NULL ? program_name : s); - return EX_USAGE; -} - /* Restores terminal echo; otherwise when a user ^Cs the terminal would * continue to not display typed text. If sig isn't zero, this will terminate * the program. */ -void restore_echo(int sig){ +static void restore_echo(int sig){ static struct termios t; tcgetattr(STDIN_FILENO, &t); t.c_lflag |= ECHO; tcsetattr(STDIN_FILENO, TCSAFLUSH, &t); + /* If, for whatever ungodly reason, exit(3) returns, the user will notice + * their typed characters on the screen. */ if(sig != 0) exit(EXIT_FAILURE); - else - return; + + return; +} + +static int oserr(char *s){ perror(s); return EX_OSERR; } +static int ioerr(char *s){ perror(s); restore_echo(0); return EX_IOERR; } +static int usage(char *s){ + fprintf(stderr, "Usage: %s (-1enot) (-p [program [arguments...]])\n", s); + return EX_USAGE; } int main(int argc, char *argv[]){ - int eof; - char include_eof; - FILE *outputs[] = { - NULL /* stdout */, - NULL /* stderr */ - }; if(argc < 1) - return usage(argv[0]); + return usage(program_name); - eof = EOF; - include_eof = 0; { /* options parsing */ + char allow_nonterminals; int c; - while((c = getopt(argc, argv, "1enot")) != -1) + allow_nonterminals = 0; + while((c = getopt(argc, argv, "i")) != -1) switch(c){ - case '1': eof = '\n'; break; - case 'n': include_eof = 1; break; - case 'o': outputs[0] = stdout; break; - case 'e': outputs[1] = stderr; break; - case 't': - if(isatty(STDIN_FILENO) != 1){ - fprintf(stderr, "%s: Must be run in a terminal" - " (option -t specified)\n", argv[0]); - return EX_USAGE; - } + case 'i': allow_nonterminals = 1; break; default: return usage(argv[0]); } if(argc > optind) return usage(argv[0]); + + if(!allow_nonterminals && isatty(STDIN_FILENO) != 1){ + fprintf(stderr, "%s: Must be run in a terminal" + " (option -i skips this check)\n", argv[0]); + return EX_USAGE; + } } { /* install signal handler */ @@ -116,15 +107,10 @@ int main(int argc, char *argv[]){ { /* actual input loop */ int c; - size_t i; - do{ if((c = getc(stdin)) != eof || include_eof) - for(i = 0; i < (sizeof outputs)/(sizeof *outputs); ++i) - if(outputs[i] != NULL && putc(c, outputs[i]) == EOF){ - perror(argv[0]); - outputs[i] = NULL; - } - }while(c != eof); + while((c = getc(stdin)) != EOF) + if(putc(c, stdout) == EOF) + return ioerr(argv[0]); } restore_echo(0);