On Sunday 16 March 2014 21:25, Rich Felker wrote: > On Sun, Mar 16, 2014 at 11:19:02AM +0100, Denys Vlasenko wrote: > > On Tuesday 04 March 2014 22:27, Romain Naour wrote: > > > Signed-off-by: Romain Naour <[email protected]> > > > --- > > > loginutils/su.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/loginutils/su.c b/loginutils/su.c > > > index c51f26f..f812505 100644 > > > --- a/loginutils/su.c > > > +++ b/loginutils/su.c > > > @@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) > > > if (ENABLE_FEATURE_SU_SYSLOG) > > > syslog(LOG_NOTICE, "%c %s %s:%s", > > > '-', tty, old_user, opt_username); > > > + bb_do_delay(LOGIN_FAIL_DELAY); > > > bb_error_msg_and_die("incorrect password"); > > > } > > > > > > Applied, thanks! > > Did you miss the part about this being useless to security but > annoying to users? If busybox is going to add the delay, it should do > it right (in such a way that attackers can't circumvent the delay).
I made the behavior consistent. If we are to remove delays, we need to do in in all five places, no? _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
