[Pkg-shadow-devel] Bug#623862: login: su Ignores SIGINT/SIGQUIT

Jun Inoue jun.lambda at gmail.com
Sat Apr 23 19:39:40 UTC 2011 

Package: login
Version: 1:4.1.4.1-1
Severity: wishlist
File: /bin/su

Please let su exit immediately when I type a wrong password in su, or at
least let it obey SIGINT.  Apparently blocking SIGINT was a response to
#52372 and blocking SIGQUIT a response to #288827, aiming to enforce the
delay that takes place after receiving a bad password.  But neither is
effective because:

(1) su can be terminated by SIGTERM or SIGKILL anyway

(2) anyone who can invoke su at all can probably invoke many instances
    in parallel, in a pipeline fashion to eliminate wait time

Brute-force attackers, undoubtedly using a script, can deploy both of
these methods very easily.  On the other hand, a legitimate user, most
likely invoking su interactively, has to go through the nuisance of
control-z + kill %1 or something like that to use either workaround.  So
this signal blocking business is only inconveniencing legitimate users
and not any attackers.

I'm not a security expert so correct me if I'm wrong, but the whole idea
of pausing in su looks an ill-conceived security measure that arose from
false analogy with login.  When an attacker is logging in for the first
time, the tactics (1) and (2) above can't be used because presumably the
attacker hasn't already gained access to the system's process table in
any way.  But an attacker using su necessarily has.  So putting a delay
is effective in the former case, but not in the latter.

Having to wait several seconds every time the user mistypes a password
is a usability issue, and I would like to see this delay removed unless
there is a concrete security benefit without a trivial workaround.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.EUC-JP, LC_CTYPE=ja_JP.EUC-JP (charmap=EUC-JP) (ignored: LC_ALL set to ja_JP.eucJP)
Shell: /bin/sh linked to /bin/bash

Versions of packages login depends on:
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libpam-modules                1.0.1-9    Pluggable Authentication Modules f
ii  libpam-runtime                1.1.0-4    Runtime support for the PAM librar
ii  libpam0g                      1.0.1-9    Pluggable Authentication Modules l

login recommends no packages.

login suggests no packages.

-- no debconf information

-- 
Jun Inoue

More information about the Pkg-shadow-devel mailing list