Subject: su and resources not honored
To: None <tech-security@NetBSD.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 06/13/2006 19:50:59
src/usr.bin/su/su_pam.c has:
* Don't touch resource/priority settings if -m has been used
* or -l and -c hasn't, and we're not su'ing to root.
*/
if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) == -1)
err(EXIT_FAILURE, "setusercontext");
So using "su" (without -m for example), a user (who knows another user
account's password) can login to that other user's account and because
LOGIN_SETRESOURCES is not used their previous resources are in effect. Is
that okay?
This seems like a way a user can misuse resources. Comments?
If that is acceptable behaviour it should be clearly documented. (Any
suggestions on wording for the manual page?)
I haven't checked other operating systems yet.
Note that our login(1) does not have that problem.
Jeremy C. Reed