Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-doc
 Path: blob/main/website/content/en/status/report-2023-07-2023-09/login_classes.adoc
18096 views
=== Login Classes Fixes and Improvements

Links: +
link:https://reviews.freebsd.org/D40339[Start of the reviews stack] URL: link:https://reviews.freebsd.org/D40339[]

Contact: Olivier Certner <[email protected]>

==== Context

Login classes are a mechanism mainly used to set various process properties and attributes at login, depending on the user logging in and the login class he is a member of.
A login class typically specifies resource limits, environment variables and process properties such as scheduling priority and umask.
See man:login.conf[5] for more information.

==== Changes

The `priority` and `umask` capabilities now accept the `inherit` special value to explicitly request property inheritance from the login process.
This is useful, e.g., when temporarily logging in as another user from a process with a non-default priority to ensure that processes launched by this user still have the same priority level.

Users can now override the global setting for the `priority` capability (in [.filename]#/etc/login.conf#) in their local configuration file ([.filename]#~/.login_conf#).
Note however that they cannot increase their priority if they are not privileged, and that using `inherit` in this context makes no sense, since the global setting is always applied first.

Fixes:

- Fix a bug where, when the `priority` capability specifies a realtime priority, the final priority used was off-by-one (and the numerically highest priority in the real time class (31) could never be set).
- Security: Prevent a setuid/setgid process from applying directives from some user's [.filename]#~/.login_conf# (directives there that cannot be applied because of a lack of privileges could suddenly become applicable in such a process).

We have also updated the relevant manual pages to reflect the new functionality, and improved the description of the `priority` and `umask` capabilities in man:login.conf[5].

==== Status

Some of the patches in the series have been reviewed thanks to mailto:[email protected][Konstantin Belousov] and mailto:[email protected][Warner Losh].
Other patches are waiting for reviews (and reviewers, volunteers welcome!), which are not expected to be labored.

We plan to improve consistency by deprecating the priority reset to 0 when no value for the capability `priority` is explicitly specified, which has been the case for `umask` for 15+ years.

Sponsor: Kumacom SAS (for development work) +
Sponsor: The FreeBSD Foundation (for some reviews)