Subject: su and resources not honored
To: None <tech-security@NetBSD.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 06/13/2006 19:50:59
src/usr.bin/su/su_pam.c has:

    * Don't touch resource/priority settings if -m has been used
    * or -l and -c hasn't, and we're not su'ing to root.
    */
   if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
           setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);

   if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) == -1)
           err(EXIT_FAILURE, "setusercontext");

So using "su" (without -m for example), a user (who knows another user 
account's password) can login to that other user's account and because 
LOGIN_SETRESOURCES is not used their previous resources are in effect. Is 
that okay?

This seems like a way a user can misuse resources. Comments?

If that is acceptable behaviour it should be clearly documented. (Any 
suggestions on wording for the manual page?)

I haven't checked other operating systems yet.

Note that our login(1) does not have that problem.

 Jeremy C. Reed