Subject: /etc/login.conf
To: None <tech-userlevel@netbsd.org>
From: Martin J. Laubach <mjl@emsi.priv.at>
List: tech-userlevel
Date: 12/07/1999 09:45:22
I propose (and volunteer) to work on /etc/login.conf, as it
appears in BSDI and FreeBSD.
The problem
-----------
There is currently, short of adding and duplicating shell code
in /etc/profile and /etc/csh.cshrc, no way of defining resource
limits or environments for users. Also, some other settings are
currently hard-coded in binaries, like the password expiry warn
time, and cannot be changed at all, lest for different user classes.
The proposal
------------
(a) Add the necessary routines for parsing /etc/login.conf style
files, as known from BSDI or FreeBSD to libc.
The login.conf file describes the various attributes of login
classes. It links definitions to entries in /etc/passwd by means
of the -- present, but currently unused -- "class" field.
A login.conf entry looks quite similar to a termcap(5) style
entry, except for longer, more descriptive naming.
(b) Modify the relevant programs to use login.conf. This
includes login, su, ftpd for setting resource limits, but also
passwd(1) which finally would make the 'expire' feature useful.
Details
-------
Login.conf in BSDI and FreeBSD defines several things:
authentication settings (bsd authentication in BSDI, PAM in FreeBSD),
resource limits and environment settings, and miscellaneous account
relevant settings.
I do _NOT_ want to touch the authentication stuff per se, since
it is highly controversial whether PAM or bsd authentication is
the way to go, so only the following entries will be relevant.
Please keep in mind that though many of those seem duplicating
already present functionality (/etc/nologin for example), they
can be set on a per user class basis!
Resource limits
cputime time CPU usage limit.
filesize size Maximum file size limit.
datasize size Maximum data size limit.
stacksize size Maximum stack size limit.
coredumpsize size Maximum coredump size limit.
memoryuse size Maximum of core memory use size limit.
memorylocked size Maximum locked in core memory size limit.
maxproc number Maximum number of processes.
openfiles number Maximum number of open files per process.
Environment settings
hushlogin bool Same as having a ~/.hushlogin file.
ignorenologin bool Login not prevented by nologin.
lang string Set $LANG environment variable.
manpath path Default search path for manpages.
nologin file As /etc/nologin.
path path Default search path.
priority number Initial priority (nice) level.
requirehome bool Require a valid home directory to login.
setenv list A comma-separated list of env vars/vals.
shell prog Session shell to execute.
term string Default terminal.
timezone string Default value of $TZ environment variable.
umask number Initial umask.
welcome file File containing welcome message.
Authentication settings
minpasswordlen number The minimum length for local password
copyright file File containing additional copyright
Accounting limits
expireperiod time Time for expiry allocation.
graceexpire time Grace days for expired account.
gracetime time Additional grace login time allowed.
harduserlimit bool Do not allow the user to
passwordtime time Used by passwd(1) to set expiry date.
warnexpire time Advance notice for pending account expiry.
warnpassword time Advance notice for pending password
Impact
------
If no /etc/login.conf is present, none.
If /etc/login.conf exists, and no classes are specified in /etc/passwd,
the values are taken from the 'default' entry (or 'root' for the root
account). Else from the corresponding class entry.
Notes
-----
Since this will touch some security relevant parts, any imported
parts of code need to be carefully audited.
Actions necessary
-----------------
Flame me to a crisp.
Comments?
mjl