On Fri, Mar 14, 2014 at 08:08:08AM +0000, Laurent Bercot wrote: > On 2014-03-13 22:16, John Spencer wrote: > >>You could make it rigorous by touching a fixed filename in /var/run > >>each time and sleeping until a fixed interval has elapsed past that > >>file's mtime. Unless you do that though, adding a delay is just a > >>nuisance. It does not hinder competent attackers and it annoys > >>legitimate users who mistype their password. > > > >correct, and that's exactly what sabotage linux' su implementation does: > >https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c > >(only difference: it uses /var/lib) > > Please consider using /tmp instead, so su works even when /var has not > been mounted yet. (This is useful for recovery situations.)
/tmp is not suitable for this; you can never assume the ability to create a fixed-name file in /tmp, since the namespace of /tmp is shared on a first-come, first-served basis. Any programs using /tmp except for creating randomly-named files there are buggy. It would probably be suitable to skip the check if the appropriate directory under /var does not exist (but not just if opening it fails for a reason other than non-existence, since you don't want, e.g., fd-exhaustion attacks to let an attacked bypass the rate-limiting). Rich _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
