Bug 10441

Summary: accidental full text password expose to local users possible
Product: Busybox Reporter: surae
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs, surae
Priority: P5    
Version: 1.26.x   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description surae 2017-10-22 16:17:39 UTC 
busybox's getty takes supplies typed username as arg to busibox's login process, which itself asks for username again in case of auth failure, for 3 times! Then if username typed first was erroneus it is kept for the session time

root      2170  0.0  0.0   1528     4 tty1     Ss   16:04   0:00 /bin/login -- adsfasdfasdf

Once I've accidentally typed password instead of login on console getty prompt it exposes my whole password to local users for entire session period!

It is bad for security!

Should we remove username prompt from login.c, or make it check if username supplied by getty was non-existent?
Comment 1 surae 2017-10-22 16:36:56 UTC 
loginutils/login.c:522:
...
auth_failed:                                                                 
                opt &= ~LOGIN_OPT_f;                                          
                bb_do_delay(LOGIN_FAIL_DELAY);                                      
                /* TODO: doesn't sound like correct English phrase to me */   
                puts("Login incorrect");                                           
                if (++count == 3) {                                            
                        syslog(LOG_WARNING, "invalid password for '%s'%s",          
                                                username, fromhost);            
                                                                                   
                        if (ENABLE_FEATURE_CLEAN_UP)                          
                                free(fromhost);                               
                                                                              
                        return EXIT_FAILURE;                                  
                }                                                             
                username[0] = '\0';                                                 
        } /* while (1) */               
...

I guess, where is no sense in "if (++count == 3) { " on string 527. It saves no resource and used extrimely rare, afaik.