You've found an unveil bug in su. It needs to allow read access to
/etc/shells also, for this specific !altshell + asme + ruid case.
Index: su.c
===================================================================
RCS file: /cvs/src/usr.bin/su/su.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 su.c
--- su.c 23 Aug 2018 16:52:13 -0000 1.71
+++ su.c 20 Oct 2018 16:47:19 -0000
@@ -164,6 +164,8 @@ main(int argc, char **argv)
err(1, "unveil");
if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
err(1, "unveil");
+ if (unveil(_PATH_SHELLS, "r") == -1)
+ err(1, "unveil");
for (;;) {
/* get target user, default to root unless in -L mode */
> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
>
> Up to 6.3 I was able to simply execute "su -m" to become superuser
> while keeping all my enviroment. Now under 6.4 I'm no longer able to
> do it:
>
> casa:/home/giannici> su -m
> Password:
> su: permission denied (shell).
>
>
> In the man page of su I see "As a security precaution, if the target
> user's shell is a non-standard shell (as defined by getusershell(3))
> and the caller's real UID is non-zero, su will fail.".
>
> But here is the output of "/etc/shells":
>
> casa:/home/giannici> cat /etc/shells
> # $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
> #
> # list of acceptable shells for chpass(1).
> # ftpd(8) will not allow users to connect who are not using
> # one of these shells, unless the user is listed in /etc/ftpchroot.
> /bin/sh
> /bin/csh
> /bin/ksh
> /usr/local/bin/bash
> /usr/local/bin/tcsh
>
> And here is the first line of vipw:
>
> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
> &:/root:/bin/ksh
>
>
> Why I can do "su" but I cannot do "su -m" anymore?
>
> Thanks.
>
