On Thu, Mar 13, 2014 at 12:15:45AM +0100, John Spencer wrote: > Romain Naour wrote: > >Hi, > >Le 04/03/2014 22:27, Romain Naour a écrit : > >>Signed-off-by: Romain Naour <[email protected]> > >>--- > >> loginutils/su.c | 1 + > >> 1 file changed, 1 insertion(+) > >> > >>diff --git a/loginutils/su.c b/loginutils/su.c > >>index c51f26f..f812505 100644 > >>--- a/loginutils/su.c > >>+++ b/loginutils/su.c > >>@@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) > >> if (ENABLE_FEATURE_SU_SYSLOG) > >> syslog(LOG_NOTICE, "%c %s %s:%s", > >> '-', tty, old_user, opt_username); > >>+ bb_do_delay(LOGIN_FAIL_DELAY); > >> bb_error_msg_and_die("incorrect password"); > >> } > >Any comment or review on this patch ? > >There is a small delay in su from util-linux if the password is wrong. > > that doesnt help cracking attempts, the bruteforce tool could just > spawn many processes. this will only delay the most naive attacker.
You could make it rigorous by touching a fixed filename in /var/run each time and sleeping until a fixed interval has elapsed past that file's mtime. Unless you do that though, adding a delay is just a nuisance. It does not hinder competent attackers and it annoys legitimate users who mistype their password. Rich _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
