From: Jeremy C. Reed (reedreedmedia.net)
Date: Tue Jun 13 2006 - 21:50:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

src/usr.bin/su/su_pam.c has:

    * Don't touch resource/priority settings if -m has been used
    * or -l and -c hasn't, and we're not su'ing to root.
    */
   if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
           setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);

   if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) == -1)
           err(EXIT_FAILURE, "setusercontext");

So using "su" (without -m for example), a user (who knows another user
account's password) can login to that other user's account and because
LOGIN_SETRESOURCES is not used their previous resources are in effect. Is
that okay?

This seems like a way a user can misuse resources. Comments?

If that is acceptable behaviour it should be clearly documented. (Any
suggestions on wording for the manual page?)

I haven't checked other operating systems yet.

Note that our login(1) does not have that problem.

 Jeremy C. Reed

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]