[PATCH & RFC] avoid libbb/correct_password.c to disclose info about system
Tito
farmatito at tiscali.it
Mon Jul 2 15:08:25 PDT 2007
Hi,
I noticed that our password checking routine in correct_password.c
behaves differently than real login app.
In case that support for shadow passwords is enabled and
/etc/shadow is missing it complains with an error message:
"no valid shadow password, checking ordinary one"
thus disclosing information about the state of the system.
I think it should instead fake an incorrect login.
A patch is attached, comments and critics are welcome.
This is only compile tested.
Ciao,
Tito
BTW.:
scripts/bloat-o-meter busybox_old busybox_unstripped
function old new delta
correct_password 231 225 -6
.rodata 125111 125063 -48
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-54) Total: -54 bytes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: correct_password.patch
Type: text/x-diff
Size: 688 bytes
Desc: not available
Url : http://busybox.net/lists/busybox/attachments/20070703/e71eee7e/attachment.bin
More information about the busybox
mailing list