[PATCH 1/1] su: Add a delay if the password is incorrect

Laurent Bercot ska-dietlibc at skarnet.org
Fri Mar 14 08:08:08 UTC 2014


On 2014-03-13 22:16, John Spencer wrote:
>> You could make it rigorous by touching a fixed filename in /var/run
>> each time and sleeping until a fixed interval has elapsed past that
>> file's mtime. Unless you do that though, adding a delay is just a
>> nuisance. It does not hinder competent attackers and it annoys
>> legitimate users who mistype their password.
>
> correct, and that's exactly what sabotage linux' su implementation does:
> https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c
> (only difference: it uses /var/lib)

  Please consider using /tmp instead, so su works even when /var has not
been mounted yet. (This is useful for recovery situations.)

-- 
  Laurent



More information about the busybox mailing list