Subject: Re: su and resources not honored
To: Jeremy C. Reed <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 06/14/2006 17:21:26
Content-Type: text/plain; charset=us-ascii
On Tue, Jun 13, 2006 at 07:50:59PM -0700, Jeremy C. Reed wrote:
> src/usr.bin/su/su_pam.c has:
> * Don't touch resource/priority settings if -m has been used
> * or -l and -c hasn't, and we're not su'ing to root.
> if ((asme || (!asthem && class =3D=3D NULL)) && pwd->pw_uid)
> setwhat &=3D ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
> if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) =3D=3D -1)
> err(EXIT_FAILURE, "setusercontext");
> So using "su" (without -m for example), a user (who knows another user=20
> account's password) can login to that other user's account and because=20
> LOGIN_SETRESOURCES is not used their previous resources are in effect. Is=
> that okay?
> This seems like a way a user can misuse resources. Comments?
If I understand things right, the way this would work is that user A would=
log into user B's account but the process limits & such would be counted=20
against user A, correct? Or would they no longer be counted against user A=
and user B would be well-above limits?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----