When locking a tty with "vlock -a", if the user's password isn't correct
you'll be asked for root's password. However, this will always be rejected,
so root can't unlock - or switch to other consoles, making this an
vlock is not set-uid root, and as such cannot do anything the user couldn't do
already. Unfortunetly this also includes validating the root password (in most
circumstances). (Users can validate thier own password, but only by using a
small helper app invoked by PAM).
BTW, vlock -a also was the subject of an security advisory
(http://lwn.net/2000/1109/a/sec-vlock.php3), as -a allowed any user to bypass
the password (ouch...).
Just as a tiny note, entering the user's password when prompted for root's
password will resume the user session. It seems like if you're not going to
allow root to log in, you should at least change the prompt to "user's
Password:" rather than "root's Password:"
Software: that's the design behaviour; it's not giving you a new shell.
abartlett: you are right, there's no additional DOS beyond what you can