In setusercontext(), do not apply user settings unless running as the

user in question (usually but not necessarily because we were called with LOGIN_SETUSER). This plugs a hole where users could raise their resource limits and expand their CPU mask. MFC after: 3 weeks
2010-08-16 11:32:20 +00:00 · 2010-08-16 11:32:20 +00:00 · 35305a8dc1
commit 35305a8dc1
parent f4fda7679a
1 changed files with 1 additions and 1 deletions
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@ -525,7 +525,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
    /*
     * Now, we repeat some of the above for the user's private entries
     */
-    if ((lc = login_getuserclass(pwd)) != NULL) {
+    if (getuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
 	mymask = setlogincontext(lc, pwd, mymask, flags);
 	login_close(lc);
    }