On Sun, Mar 16, 2014 at 11:19:02AM +0100, Denys Vlasenko wrote: > On Tuesday 04 March 2014 22:27, Romain Naour wrote: > > Signed-off-by: Romain Naour <[email protected]> > > --- > > loginutils/su.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/loginutils/su.c b/loginutils/su.c > > index c51f26f..f812505 100644 > > --- a/loginutils/su.c > > +++ b/loginutils/su.c > > @@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) > > if (ENABLE_FEATURE_SU_SYSLOG) > > syslog(LOG_NOTICE, "%c %s %s:%s", > > '-', tty, old_user, opt_username); > > + bb_do_delay(LOGIN_FAIL_DELAY); > > bb_error_msg_and_die("incorrect password"); > > } > > > Applied, thanks!
Did you miss the part about this being useless to security but annoying to users? If busybox is going to add the delay, it should do it right (in such a way that attackers can't circumvent the delay). Rich _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
