untrusted comment: verify with openbsd-65-base.pub
RWSZaRmt1LEQT19KUqYktIF3LfFPwF4lGg7QyCeU5sQrupIE09OGQWFvtbrJwSimLmjgXVJ+4SWl16xhpqgfovpbA6KTOU2FPw4=

OpenBSD 6.5 errata 023, December 8, 2019:

A user can log in with a different user's login class.

Apply by doing:
    signify -Vep /etc/signify/openbsd-65-base.pub -x 023_suauth.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install su:
    cd /usr/src/usr.bin/su
    make obj
    make
    make install

Index: usr.bin/su/su.c
===================================================================
RCS file: /var/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.73.2.1
diff -u -p -r1.73.2.1 su.c
--- usr.bin/su/su.c	4 Dec 2019 09:51:49 -0000	1.73.2.1
+++ usr.bin/su/su.c	6 Dec 2019 20:46:28 -0000
@@ -170,6 +170,8 @@ main(int argc, char **argv)
 		err(1, "unveil");
 
 	for (;;) {
+		char *pw_class = class;
+
 		/* get target user, default to root unless in -L mode */
 		if (*argv) {
 			user = *argv;
@@ -205,11 +207,11 @@ main(int argc, char **argv)
 		}
 
 		/* If the user specified a login class, use it */
-		if (!class && pwd && pwd->pw_class && pwd->pw_class[0] != '\0')
-			class = strdup(pwd->pw_class);
-		if ((lc = login_getclass(class)) == NULL)
+		if (pw_class == NULL && pwd != NULL)
+			pw_class = pwd->pw_class;
+		if ((lc = login_getclass(pw_class)) == NULL)
 			auth_errx(as, 1, "no such login class: %s",
-			    class ? class : LOGIN_DEFCLASS);
+			    pw_class ? pw_class : LOGIN_DEFCLASS);
 
 		if ((ruid == 0 && !emlogin) ||
 		    verify_user(username, pwd, style, lc, as) == 0)