SU allows for immediate return by pressing Control-C. This allows for immediate determination of success/failure, and brute force attacks through a little bit of signal manipulation. I have not tested if a program can send the SIGINT itself, but it would seem likely as this is what Control-C is supposed to do. It should force wait (or at least be admin configurable to do so). Reproducible: Always Steps to Reproduce: 1. su 2. enter incorrect password 3. press CTRL-C to prematurely halt the failure pause Actual Results: su is killed, user returned to command line instantly to try again Expected Results: ignore SIGINT for security reasons (or have the option to ignore it)
Upon further thinking, the pause is nonsense because a user must be explicitly granted permission to su, and so there is no real security hole as a user with ability to su should already know the password. I submit that the pause should be completely eliminated due to the fact that it is completely pointless and silly. The option, at least, would be preferable.
doesnt /etc/login.defs control that ?
It controls the timeout for logging in via the login prompt but not (as far as I can tell) the timeout on the su command. Perhaps there is an option that does not appear there by default that controls it that you are thinking of? In any case, the delay seems strange since both CTRL-C and CTRL-\ will kill the su process without the need to wait. Even a user logged in to a single terminal could open multiple su instances to avoid the delay. For reasoning that convinced me that the delay was not in fact a security hole, but rather a pointless hindrance to legitimate users, read: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=288827&msg=1 Thanks for your time, you could probably mark this down to minor if you like :)
feel like glancing through shadow's su code and producing a patch to allow for CTRL+C at all stages ?
spanky: is this bug still needed?
iirc, upstream has talked about it ... but i dont really remember what came of it either way, should be handled on the shadow dev list