[PATCH 1/1] su: Add a delay if the password is incorrect
Rich Felker
dalias at aerifal.cx
Thu Mar 13 21:12:51 UTC 2014
On Thu, Mar 13, 2014 at 12:15:45AM +0100, John Spencer wrote:
> Romain Naour wrote:
> >Hi,
> >Le 04/03/2014 22:27, Romain Naour a écrit :
> >>Signed-off-by: Romain Naour <romain.naour at openwide.fr>
> >>---
> >> loginutils/su.c | 1 +
> >> 1 file changed, 1 insertion(+)
> >>
> >>diff --git a/loginutils/su.c b/loginutils/su.c
> >>index c51f26f..f812505 100644
> >>--- a/loginutils/su.c
> >>+++ b/loginutils/su.c
> >>@@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
> >> if (ENABLE_FEATURE_SU_SYSLOG)
> >> syslog(LOG_NOTICE, "%c %s %s:%s",
> >> '-', tty, old_user, opt_username);
> >>+ bb_do_delay(LOGIN_FAIL_DELAY);
> >> bb_error_msg_and_die("incorrect password");
> >> }
> >Any comment or review on this patch ?
> >There is a small delay in su from util-linux if the password is wrong.
>
> that doesnt help cracking attempts, the bruteforce tool could just
> spawn many processes. this will only delay the most naive attacker.
You could make it rigorous by touching a fixed filename in /var/run
each time and sleeping until a fixed interval has elapsed past that
file's mtime. Unless you do that though, adding a delay is just a
nuisance. It does not hinder competent attackers and it annoys
legitimate users who mistype their password.
Rich
More information about the busybox
mailing list