Might I suggest that you put a delay into the program, if the password is incorrect. This way it'll be as difficult as using su to detect if you found the correct password. Brute forcing the password list for any given user is more easily accomplished without the delay. You may also want to put some IPC intelligence into the program to detect multiple instances running; anyone can write a proggie which spawns 250 kcheckpass progs, and still get decent throughput. Perhaps a shared memory segment with a mutex would work. And the mutex is held the runtime of the program, providing that the UID of the people running it are the same (50 different people running it once is OK, 1 person running it 50 concurrent times is not). --Perry > > Dear Bugtraq subscribers, > > > KDE Screensavers are usually running SUID root. Security issues have > been posted to Bugtraq on Nov 16 1998, under the subject "KDE 1.0's > klock can be used to gain root priveledges". The KDE team has now > published a fix for the KDE1.0 branch and the current branch. > > With this change, screensavers and klock are not running SUID anymore. > This will solve every potential exploit, like misuse of buffer overruns > to gain root rights or executing a wrong executable under SUID rights. > > The following text explains the technique used to solve the problem. > An advisory for distributors, users and administrators follows the > technical description. > > > Technique > --------- > An authentification program, kcheckpass, has been introduced. This > is a separate, helper program, that runs SUID and is called each > time a password has to be checked. The password is passed via > STDIN to the program and the result of the authentification > process is returned in the return code of the program. > This program is small and supposed to be free from security hazzles. > > Christian Esken <eskenat_private>=FF > -- Perry Harrington System Software Engineer zelur xuniL () http://www.webcom.com perry.harringtonat_private Think Blue. /\
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:51 PDT