Date: Tue, 5 May 1998 21:41:03 GMT From: dan@obluda.cz To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/6529: potential timing problem with login after bad password given Message-ID: <199805052141.VAA03558@danio.cz>
index | next in thread | raw e-mail
>Number: 6529
>Category: bin
>Synopsis: potential timing problem with login after bad password given
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 5 17:20:01 PDT 1998
>Last-Modified:
>Originator: Dan Lukes
>Organization:
Dan Lukes
>Release: FreeBSD 2.2.6-RELEASE i386
>Environment:
no special environment settings, standard instalation
"$Id: login.c,v 1.12.2.9 1998/02/18 12:07:42 markm Exp $"
>Description:
/usr.sbin/login/login.c:
The variable "backoff" is initialized (source line 267) from login-backoff tag
of login capabilities database or (source line 272) from DEFAULT_BACKOFF
(=3, see line 123).
Imagine than an user give a bad password and see source line 513.
If "cnt" variable (number of attempts) is greater than "backoff" then
sleep is called. The problem is with sleep argument. ((cnt - 3) * 5) can
be negative number if "backoff" is less than 2. If login capabilities
database/login-backoff tag is set to less than 2 by administrator and user
give bad password then sleep on line 518 cause to sleep until login
timeout-ed (or SIGINT or SIGQUIT).
Similar situation occur if the #define DEFAULT_BACKOFF (line 272) will be
changed to 1 or less and apropriate tag isn't present or login capabilities
functions aren't compiled in.
IMHO, this inconsistence is related to adding of login_capabilities_database
support to login program, but this part of program remain intact with
old coded-in constants.
>How-To-Repeat:
Add :login-backoff=1: tag to /etc/login.conf, class default, (re)start
login program on a tty and try login with bad password (two attempts).
login will sleep until SIGINT, SIGQUIT or login timeout.
>Fix:
Change line 518 of login.c from
sleep((u_int)((cnt - 3) * 5));
to
sleep((u_int)((cnt - backoff) * 5));
Recompile and reinstall login program.
The workaround is set the login-backoff tag to 3 or more or remove this tag
from login.conf database.
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805052141.VAA03558>