Subject: Re: su and resources not honored
To: Jeremy C. Reed <>
From: Bill Studenmund <>
List: tech-security
Date: 06/14/2006 17:21:26
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 13, 2006 at 07:50:59PM -0700, Jeremy C. Reed wrote:
> src/usr.bin/su/su_pam.c has:
>     * Don't touch resource/priority settings if -m has been used
>     * or -l and -c hasn't, and we're not su'ing to root.
>     */
>    if ((asme || (!asthem && class =3D=3D NULL)) && pwd->pw_uid)
>    if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) =3D=3D -1)
>            err(EXIT_FAILURE, "setusercontext");
> So using "su" (without -m for example), a user (who knows another user=20
> account's password) can login to that other user's account and because=20
> LOGIN_SETRESOURCES is not used their previous resources are in effect. Is=
> that okay?
> This seems like a way a user can misuse resources. Comments?

If I understand things right, the way this would work is that user A would=
log into user B's account but the process limits & such would be counted=20
against user A, correct? Or would they no longer be counted against user A=
and user B would be well-above limits?

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)