otherwise COM_CHANGE_USER is unprotected and can be used for both privilege escalation and buffer overrun