Rich Felker wrote:
On Thu, Mar 13, 2014 at 12:15:45AM +0100, John Spencer wrote:
Romain Naour wrote:
Hi,
Le 04/03/2014 22:27, Romain Naour a écrit :
Signed-off-by: Romain Naour <romain.na...@openwide.fr>
---
loginutils/su.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/loginutils/su.c b/loginutils/su.c
index c51f26f..f812505 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
if (ENABLE_FEATURE_SU_SYSLOG)
syslog(LOG_NOTICE, "%c %s %s:%s",
'-', tty, old_user, opt_username);
+ bb_do_delay(LOGIN_FAIL_DELAY);
bb_error_msg_and_die("incorrect password");
}
Any comment or review on this patch ?
There is a small delay in su from util-linux if the password is wrong.
that doesnt help cracking attempts, the bruteforce tool could just
spawn many processes. this will only delay the most naive attacker.
You could make it rigorous by touching a fixed filename in /var/run
each time and sleeping until a fixed interval has elapsed past that
file's mtime. Unless you do that though, adding a delay is just a
nuisance. It does not hinder competent attackers and it annoys
legitimate users who mistype their password.
correct, and that's exactly what sabotage linux' su implementation does:
https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c
(only difference: it uses /var/lib)
Rich
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
