Quite some time ago I spent a _lot_ of time getting resource limits and other features offered by /etc/login.conf working correctly. Unfortunately I probably never shared my results! At Sun, 28 Sep 2025 07:15:28 -0400, Greg Troxel <gdt%lexort.com@localhost> wrote: Subject: Re: resource limits and login.conf > > > 2. The last line of a record should not end in `\'. > > That makes sense; that was sort of left from editing. > This was the problem, and removing the final \ made it work. That's the trick! > It seems like there are two bugs; > > lack of a trailing newline causes an entry to be silently ignored Did you actually have a blank line after the "daemon" entry? I don't think there's an actual bug either way -- other than in giving a line continuation when it shouldn't have been there! If you didn't have a blank line, well then there's your bug -- the "default" entry didn't exist. If you did have a blank line, then you added a capability named as a newline character, and I don't think that would have caused any problem for the "daemon" entry, though I've never explicitly tested it. However if you did not have an extra blank line after the "default" entry then the good old "Some unix tools don't see a line at the end of a file if there's no final newline" problem may have caused the "default" entry to be unseen. EOF != \n. That's probably bad enough to be worth calling it a bug though. A little bit more testing of these various cases could be useful. > cap_mkdb doesn't warn when there is a malformed entry How would it tell in the case of two entries smushed together by an errant backslash? There is a way to ask cap_mkdb(1) to tell how many records were stored in the database (-v) -- and if you know you should have had two, but there's only one stored, then you know you have a line continuation problem. Perhaps the real problem is that there's no tool to easily do generic configuration testing of capfile(5) files. Maybe cap_mkdb with two -v's should print all of the parsed entries back out. Maybe there could be a "schema" file for capfile(5) files that would define some requirements for them -- valid names for capabilities for example, and then cap_mkdb could check for entries with invalid capability names (and range limits for those with values?), BTW, there are some other caveats w.r.t. login.conf(5) and resource limits in particular, especially if they're also set in a "tc=" combined entry. Below my /etc/login.conf file with comments discussing this issue. I started writing some updates to login.conf(5) based on this, but never finished. I also added a cross-reference to capfile(5) and cgetent(3) and cgetstr(3). These fixes to two descriptions are important though: Index: /usr/src/share/man/man5/login.conf.5 =================================================================== RCS file: /cvs/master/m-NetBSD/main/src/share/man/man5/login.conf.5,v retrieving revision 1.31 diff -u -r1.31 login.conf.5 --- /usr/src/share/man/man5/login.conf.5 11 Jul 2015 14:18:08 -0000 1.31 +++ /usr/src/share/man/man5/login.conf.5 20 Mar 2021 05:44:45 -0000 @@ -79,7 +79,9 @@ .Pp All entries in the .Nm login.conf -file are either boolean or use a `=' to separate the capability +file are either boolean or use a +.Ql = +to separate the capability from the value. The types are described after the capability table. .Bl -column minpasswordlen program default @@ -173,18 +175,26 @@ .\" .sp .It Sy memorylocked Ta size Ta "" Ta -Maximum locked in core memory size. +Maximum amount of memory a process may lock in physical memory with +.Xr mlock 2 . .\" .sp .It Sy memoryuse Ta size Ta "" Ta -Maximum in core memoryuse size. +Maximum physical (in-core) memory size. +.Em N.B. : +.Sy memoryuse +is not used or honoured by +.Xr uvm 9 +in +.Nx . .\" .sp -.It Sy minpasswordlen Ta number Ta "" Ta +.It Sy minpasswordlen Ta number Ta "8" Ta The minimum length a local password may be. Used by the .Xr passwd 1 utility. +Only values greater than 4 have any effect. .\" .sp .It Sy nologin Ta file Ta "" Ta @@ -272,7 +282,9 @@ .\" .sp .It Sy vmemoryuse Ta size Ta "" Ta -Maximum virtual address space size. +Maximum amount of virtual memory the process is allowed to map. +This includes address space acquired by +.Xr mmap 2 . .\" .sp .It Sy welcome Ta file Ta Li /etc/motd Ta @@ -298,9 +310,10 @@ .Sy vmemoryuse ) actually specify both the maximum and current limits (see .Xr getrlimit 2 ) . -The current limit is the one normally used, +The current limit is the one enforced by the system, although the user is permitted to increase the current limit to the -maximum limit. +maximum limit by calling +.Xr setrlimit 2 . The maximum and current limits may be specified individually by appending a .Sq Sy \-max Note I added the suffix "class" to all the class names to make them a little more clearly distinguishable in the master.passwd file. It's a bit longer than I desired, but they definitely show up better to my eyes. I also did some fixes and cleanup to lib/libutil/login_cap.c, mostly to improve error reporting a wee bit. I could post those separately. -- Greg A. Woods <gwoods%acm.org@localhost> Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost> Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost> # $NetBSD: login.conf,v 1.7 2018/03/01 04:12:09 snj Exp $ # Based on: # OpenBSD: login.conf,v 1.22 2005/08/12 18:48:20 millert Exp # # Sample login.conf file. See login.conf(5) for details. # # Note that on the Alpha and i386 the default absolute datasize-max limit is # 1024m (MAXDSIZ) and the absolute stacksize-max limit is 32m (MAXSSIZ). # Attempts to set limits above these will (not so) silently be reduced to these # absolutes. # # XXX According to the manual page: # # The resource limit entries (coredumpsize, cputime, datasize, filesize, # maxproc, memorylocked, memoryuse, openfiles, sbsize, stacksize and # vmemoryuse) actually specify both the maximum and current limits. # [[....]] # The maximum and current limits may be specified individually by appending # a "-max" or "-cur" to the capability name. # # In actual fact setusercontext(3) [login_cap.c:gsetrl()] first gets the current # rlim_cur and rlim_max values for a resource limit with getrlimit(2), then it # searches using login_getcapnum(3), login_getcapsize(3), or login_getcaptime(3) # (each of which use cgetstr(3)) for the un-suffixed capabililty key, using that # (if found) to set new defaults for _both_ rlim_cur and rlim_max values # (i.e. overriding both runtime values); and finally it searches for the "-max" # and "-cur" suffixed capability keys, using whatever is found to set the # matching rlim_cur and rlim_max. If a suffixed capability key is not found the # default value is the result of the first step. I.e. the runtime values are # the initial default, then any plain key overrides _both_ runtime values, then # any "-max" or "-cur" suffix overrides the specified value. # # This means great care must be taken if any limits are given in any entry used # by another via a "tc=" capability. This means if an included entry used via # "tc=" sets the "-max" and/or "-cur" capabilities then the included entry's # "-max" and/or "-cur" capability will override an un-suffixed capability from # the outer entry (unless the outer entry uses '@' to override the suffixed # capability given in the included entry). It also means if an entry used via # "tc=" sets just the un-suffixed key then that may become the default for # rlim_max and rlim_cur unless it/they is/are overridden or forbidden in the # outer entry. # N.B.: use "pwhash -p" (and vipw) to bypass minpasswordlen # # Useful default values # # Use this in other entries with "tc=default" # default|Default values for all login classes:\ :copyright=/etc/copyrights:\ :datasize-max=512M:\ :datasize-cur=512M:\ :login-retries=5:\ :login-backoff=2:\ :maxproc-max=200:\ :maxproc-cur=160:\ :memoryuse-max=500m:\ :memoryuse-cur=300m:\ :memorylocked-max=128m:\ :memorylocked-cur=64m:\ :minpasswordlen=10:\ :nologin=/etc/nologin:\ :openfiles-max=1000:\ :openfiles-cur=256:\ :path=/bin /usr/bin /usr/X11R7/bin /usr/pkg/bin /usr/local/bin ~/bin:\ :password-warn=1w:\ :passwordtime=4w:\ :requirehome:\ :stacksize-max=16M:\ :stacksize-cur=4M:\ :term=unknown:\ :umask=022:\ :vmemoryuse-max=8G:\ :vmemoryuse-cur=4G:\ :welcome=/etc/motd: # # Settings used by daemon # daemonclass|Special login class used by daemon account:\ :hushlogin:\ :ignorenologin:\ :datasize=1000m:\ :datasize-max@:\ :datasize-cur@:\ :maxproc-max=500:\ :maxproc-cur=200:\ :openfiles-cur=128:\ :passwordtime@:\ :path=/sbin /usr/sbin /bin /usr/bin /usr/X11R7/bin /usr/pkg/sbin /usr/pkg/bin /usr/local/sbin /usr/local/bin:\ :stacksize-cur=8M:\ :tc=default: # rootclass|Special login class used by root account:\ :coredumpsize-max=inf:\ :coredumpsize-cur=inf:\ :cputime-max=inf:\ :cputime-cur=inf:\ :datasize-max=inf:\ :datasize-cur=inf:\ :filesize-max=inf:\ :filesize-cur=inf:\ :ignorenologin:\ :login-retries=3:\ :login-backoff=5:\ :maxproc-max=inf:\ :maxproc-cur=500:\ :maxthread-max=inf:\ :maxthread-cur=inf:\ :memoryuse-max=inf:\ :memoryuse-cur=inf:\ :memorylocked-max=inf:\ :memorylocked-cur=2G:\ :minpasswordlen=8:\ :openfiles-max=inf:\ :openfiles-cur=2000:\ :passwordtime@:\ :path=/root/bin /sbin /usr/sbin /bin /usr/bin /usr/X11R7/bin /usr/pkg/sbin /usr/pkg/bin /usr/local/sbin /usr/local/bin:\ :requirehome@:\ :sbsize-max=inf:\ :sbsize-cur=inf:\ :stacksize-max=inf:\ :stacksize-cur=32M:\ :vmemoryuse-max=inf:\ :vmemoryuse-cur=32G:\ :tc=default: # # staff get to abuse the system somewhat more than the default # staffclass|Special login class used by staff accounts:\ :datasize-max=inf:\ :datasize-cur=inf:\ :login-retries=3:\ :login-backoff=5:\ :maxproc-max=600:\ :maxproc-cur=300:\ :memoryuse-max=16G:\ :memoryuse-cur=8G:\ :memorylocked-max=2G:\ :memorylocked-cur=500m:\ :minpasswordlen=9:\ :openfiles-max=4000:\ :openfiles-cur=2000:\ :passwordtime@:\ :path=/bin /usr/bin /usr/X11R7/bin /usr/pkg/bin /usr/local/bin ~/bin:\ :requirehome@:\ :stacksize-max=32M:\ :stacksize-cur=8M:\ :tc=rootclass:
Attachment:
pgpW28zD0R42g.pgp
Description: OpenPGP Digital Signature