[PATCH 1/1] su: Add a delay if the password is incorrect
Denys Vlasenko
vda.linux at googlemail.com
Sun Mar 16 21:04:33 UTC 2014
On Sunday 16 March 2014 21:25, Rich Felker wrote:
> On Sun, Mar 16, 2014 at 11:19:02AM +0100, Denys Vlasenko wrote:
> > On Tuesday 04 March 2014 22:27, Romain Naour wrote:
> > > Signed-off-by: Romain Naour <romain.naour at openwide.fr>
> > > ---
> > > loginutils/su.c | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/loginutils/su.c b/loginutils/su.c
> > > index c51f26f..f812505 100644
> > > --- a/loginutils/su.c
> > > +++ b/loginutils/su.c
> > > @@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
> > > if (ENABLE_FEATURE_SU_SYSLOG)
> > > syslog(LOG_NOTICE, "%c %s %s:%s",
> > > '-', tty, old_user, opt_username);
> > > + bb_do_delay(LOGIN_FAIL_DELAY);
> > > bb_error_msg_and_die("incorrect password");
> > > }
> >
> >
> > Applied, thanks!
>
> Did you miss the part about this being useless to security but
> annoying to users? If busybox is going to add the delay, it should do
> it right (in such a way that attackers can't circumvent the delay).
I made the behavior consistent.
If we are to remove delays, we need to do in in all five places, no?
More information about the busybox
mailing list