[PATCH 1/1] su: Add a delay if the password is incorrect
Romain Naour
romain.naour at openwide.fr
Thu Mar 13 22:54:19 UTC 2014
Hi,
Le 13/03/2014 23:16, John Spencer a écrit :
> Rich Felker wrote:
>> On Thu, Mar 13, 2014 at 12:15:45AM +0100, John Spencer wrote:
>>> Romain Naour wrote:
>>>> Hi,
>>>> Le 04/03/2014 22:27, Romain Naour a écrit :
>>>>> Signed-off-by: Romain Naour <romain.naour at openwide.fr>
>>>>> ---
>>>>> loginutils/su.c | 1 +
>>>>> 1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/loginutils/su.c b/loginutils/su.c
>>>>> index c51f26f..f812505 100644
>>>>> --- a/loginutils/su.c
>>>>> +++ b/loginutils/su.c
>>>>> @@ -101,6 +101,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
>>>>> if (ENABLE_FEATURE_SU_SYSLOG)
>>>>> syslog(LOG_NOTICE, "%c %s %s:%s",
>>>>> '-', tty, old_user, opt_username);
>>>>> + bb_do_delay(LOGIN_FAIL_DELAY);
>>>>> bb_error_msg_and_die("incorrect password");
>>>>> }
>>>> Any comment or review on this patch ?
>>>> There is a small delay in su from util-linux if the password is wrong.
>>> that doesnt help cracking attempts, the bruteforce tool could just
>>> spawn many processes. this will only delay the most naive attacker.
>>
>> You could make it rigorous by touching a fixed filename in /var/run
>> each time and sleeping until a fixed interval has elapsed past that
>> file's mtime. Unless you do that though, adding a delay is just a
>> nuisance. It does not hinder competent attackers and it annoys
>> legitimate users who mistype their password.
>
> correct, and that's exactly what sabotage linux' su implementation does:
> https://github.com/sabotage-linux/sabotage/blob/master/KEEP/su.c
> (only difference: it uses /var/lib)
>
Thanks for your feed back.
Ok, I understand why it's not a good fix...
I did not know sabotage-linux project, I'll take a look.
Best regards,
Romain
More information about the busybox
mailing list