Hi,
Le 13/03/2014 23:16, John Spencer a écrit :
Rich Felker wrote:
On Thu, Mar 13, 2014 at 12:15:45AM +0100, John Spencer wrote:
Romain Naour wrote:
Hi,
Le 04/03/2014 22:27, Romain Naour a écrit :
Signed-off-by: Romain Naour <[email protected]>
---
loginutils/su.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/loginutils/su.c b/loginutils/su.c
index c51f26f..f812505 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
if (ENABLE_FEATURE_SU_SYSLOG)
syslog(LOG_NOTICE, "%c %s %s:%s",
'-', tty, old_user, opt_username);
+ bb_do_delay(LOGIN_FAIL_DELAY);
bb_error_msg_and_die("incorrect password");
}
Any comment or review on this patch ?
There is a small delay in su from util-linux if the password is wrong.
that doesnt help cracking attempts, the bruteforce tool could just
spawn many processes. this will only delay the most naive attacker.
You could make it rigorous by touching a fixed filename in /var/run
each time and sleeping until a fixed interval has elapsed past that
file's mtime. Unless you do that though, adding a delay is just a
nuisance. It does not hinder competent attackers and it annoys
legitimate users who mistype their password.
correct, and that's exactly what sabotage linux' su implementation does:
https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c
(only difference: it uses /var/lib)
Thanks for your feed back.
Ok, I understand why it's not a good fix...
I did not know sabotage-linux project, I'll take a look.
Best regards,
Romain
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
