--ZJcv+A0YCCLh2VIg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 13, 2006 at 07:50:59PM -0700, Jeremy C. Reed wrote:
> src/usr.bin/su/su_pam.c has:
>=20
>     * Don't touch resource/priority settings if -m has been used
>     * or -l and -c hasn't, and we're not su'ing to root.
>     */
>    if ((asme || (!asthem && class =3D=3D NULL)) && pwd->pw_uid)
>            setwhat &=3D ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
>=20
>    if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) =3D=3D -1)
>            err(EXIT_FAILURE, "setusercontext");
>=20
> So using "su" (without -m for example), a user (who knows another user=20
> account's password) can login to that other user's account and because=20
> LOGIN_SETRESOURCES is not used their previous resources are in effect. Is=
=20
> that okay?
>=20
> This seems like a way a user can misuse resources. Comments?

If I understand things right, the way this would work is that user A would=
=20
log into user B's account but the process limits & such would be counted=20
against user A, correct? Or would they no longer be counted against user A=
=20
and user B would be well-above limits?

Take care,

Bill

--ZJcv+A0YCCLh2VIg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFEkKgGWz+3JHUci9cRAvPBAJ9lzG8n3PuaguCZMNSXS1+g3EN9xACff5Yw
gyrN/VnfkRoFyUXBORwmN9A=
=Yw33
-----END PGP SIGNATURE-----

--ZJcv+A0YCCLh2VIg--