On 2014-03-13 22:16, John Spencer wrote:
You could make it rigorous by touching a fixed filename in /var/run
each time and sleeping until a fixed interval has elapsed past that
file's mtime. Unless you do that though, adding a delay is just a
nuisance. It does not hinder competent attackers and it annoys
legitimate users who mistype their password.
correct, and that's exactly what sabotage linux' su implementation does:
https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c
(only difference: it uses /var/lib)
Please consider using /tmp instead, so su works even when /var has not
been mounted yet. (This is useful for recovery situations.)
--
Laurent
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
