[PATCH 1/1] su: Add a delay if the password is incorrect
John Spencer
maillist-busybox at barfooze.de
Thu Mar 13 22:16:50 UTC 2014
Rich Felker wrote:
> On Thu, Mar 13, 2014 at 12:15:45AM +0100, John Spencer wrote:
>> Romain Naour wrote:
>>> Hi,
>>> Le 04/03/2014 22:27, Romain Naour a écrit :
>>>> Signed-off-by: Romain Naour <romain.naour at openwide.fr>
>>>> ---
>>>> loginutils/su.c | 1 +
>>>> 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/loginutils/su.c b/loginutils/su.c
>>>> index c51f26f..f812505 100644
>>>> --- a/loginutils/su.c
>>>> +++ b/loginutils/su.c
>>>> @@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
>>>> if (ENABLE_FEATURE_SU_SYSLOG)
>>>> syslog(LOG_NOTICE, "%c %s %s:%s",
>>>> '-', tty, old_user, opt_username);
>>>> + bb_do_delay(LOGIN_FAIL_DELAY);
>>>> bb_error_msg_and_die("incorrect password");
>>>> }
>>> Any comment or review on this patch ?
>>> There is a small delay in su from util-linux if the password is wrong.
>> that doesnt help cracking attempts, the bruteforce tool could just
>> spawn many processes. this will only delay the most naive attacker.
>
> You could make it rigorous by touching a fixed filename in /var/run
> each time and sleeping until a fixed interval has elapsed past that
> file's mtime. Unless you do that though, adding a delay is just a
> nuisance. It does not hinder competent attackers and it annoys
> legitimate users who mistype their password.
correct, and that's exactly what sabotage linux' su implementation does:
https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c
(only difference: it uses /var/lib)
>
> Rich
>
More information about the busybox
mailing list