[PATCH 1/1] su: Add a delay if the password is incorrect
John Spencer
maillist-busybox at barfooze.de
Wed Mar 12 23:15:45 UTC 2014
Romain Naour wrote:
> Hi,
> Le 04/03/2014 22:27, Romain Naour a écrit :
>> Signed-off-by: Romain Naour <romain.naour at openwide.fr>
>> ---
>> loginutils/su.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/loginutils/su.c b/loginutils/su.c
>> index c51f26f..f812505 100644
>> --- a/loginutils/su.c
>> +++ b/loginutils/su.c
>> @@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
>> if (ENABLE_FEATURE_SU_SYSLOG)
>> syslog(LOG_NOTICE, "%c %s %s:%s",
>> '-', tty, old_user, opt_username);
>> + bb_do_delay(LOGIN_FAIL_DELAY);
>> bb_error_msg_and_die("incorrect password");
>> }
>>
> Any comment or review on this patch ?
> There is a small delay in su from util-linux if the password is wrong.
that doesnt help cracking attempts, the bruteforce tool could just spawn
many processes. this will only delay the most naive attacker.
>
> Best regards,
> Romain Naour
More information about the busybox
mailing list