xref: /freebsd/lib/libutil/login_class.3 (revision a4c04958f526a0dba353b54641dc5d2806984d02) 
1.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, is permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice immediately at the beginning of the file, without modification,
9.\"    this list of conditions, and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
14.\"    is permitted provided this notation is included.
15.\" 4. Absolutely no warranty of function or purpose is made by the author
16.\"    David Nugent.
17.\" 5. Modifications may be freely made to this file providing the above
18.\"    conditions are met.
19.\"
20.Dd May 10, 2020
21.Dt LOGIN_CLASS 3
22.Os
23.Sh NAME
24.Nm setclasscontext ,
25.Nm setclasscpumask ,
26.Nm setclassenvironment ,
27.Nm setclassresources ,
28.Nm setusercontext
29.Nd "functions for using the login class capabilities database"
30.Sh LIBRARY
31.Lb libutil
32.Sh SYNOPSIS
33.In sys/types.h
34.In login_cap.h
35.Ft int
36.Fn setclasscontext "const char *classname" "unsigned int flags"
37.Ft void
38.Fn setclasscpumask "login_cap_t *lc"
39.Ft void
40.Fn setclassenvironment "login_cap_t *lc" "const struct passwd *pwd" "int paths"
41.Ft void
42.Fn setclassresources "login_cap_t *lc"
43.Ft int
44.Fn setusercontext "login_cap_t *lc" "const struct passwd *pwd" "uid_t uid" "unsigned int flags"
45.Sh DESCRIPTION
46These functions provide a higher level interface to the login class
47database than those documented in
48.Xr login_cap 3 .
49These functions are used to set resource limits, environment and
50accounting settings for users on logging into the system and when
51selecting an appropriate set of environment and resource settings
52for system daemons based on login classes.
53These functions may only be called if the current process is
54running with root privileges.
55If the LOGIN_SETLOGIN flag is used this function calls
56.Xr setlogin 2 ,
57and due care must be taken as detailed in the manpage for that
58function and this affects all processes running in the same session
59and not just the current process.
60.Pp
61The
62.Fn setclasscontext
63function sets various class context values (resource limits, umask and
64process priorities) based on values for a specific named class.
65.Pp
66The
67.Fn setusercontext
68function sets class context values based on a given login_cap_t
69object and a specific passwd record (if login_cap_t is NULL),
70the current session's login, and the current process
71user and group ownership.
72Each of these actions is selectable via bit-flags passed
73in the
74.Ar flags
75parameter, which is comprised of one or more of the following:
76.Bl -tag -width LOGIN_SETLOGINCLASS
77.It LOGIN_SETLOGIN
78Set the login associated with the current session to the user
79specified in the passwd structure using
80.Xr setlogin 2 .
81The
82.Ar pwd
83parameter must not be NULL if this option is used.
84.It LOGIN_SETUSER
85Set ownership of the current process to the uid specified in the
86.Ar uid
87parameter using
88.Xr setuid 2 .
89.It LOGIN_SETGROUP
90Set group ownership of the current process to the group id
91specified in the passwd structure using
92.Xr setgid 2 ,
93and calls
94.Xr initgroups 3
95to set up the group access list for the current process.
96The
97.Ar pwd
98parameter must not be NULL if this option is used.
99.It LOGIN_SETRESOURCES
100Set resource limits for the current process based on values
101specified in the system login class database.
102Class capability tags used, with and without -cur (soft limit)
103or -max (hard limit) suffixes and the corresponding resource
104setting:
105.Bd -literal
106cputime          RLIMIT_CPU
107filesize         RLIMIT_FSIZE
108datasize         RLIMIT_DATA
109stacksize        RLIMIT_STACK
110coredumpsize     RLIMIT_CORE
111memoryuse        RLIMIT_RSS
112memorylocked     RLIMIT_MEMLOCK
113maxproc          RLIMIT_NPROC
114openfiles        RLIMIT_NOFILE
115sbsize           RLIMIT_SBSIZE
116vmemoryuse       RLIMIT_VMEM
117pseudoterminals  RLIMIT_NPTS
118swapuse          RLIMIT_SWAP
119kqueues          RLIMIT_KQUEUES
120umtxp            RLIMIT_UMTXP
121pipebuf          RLIMIT_PIPEBUF
122.Ed
123.It LOGIN_SETPRIORITY
124Set the scheduling priority for the current process based on the
125value specified in the system login class database.
126Class capability tags used:
127.Bd -literal
128priority
129.Ed
130.It LOGIN_SETUMASK
131Set the umask for the current process to a value in the user or
132system login class database.
133Class capability tags used:
134.Bd -literal
135umask
136.Ed
137.It LOGIN_SETPATH
138Set the "path" and "manpath" environment variables based on values
139in the user or system login class database.
140Class capability tags used with the corresponding environment
141variables set:
142.Bd -literal
143path          PATH
144manpath       MANPATH
145.Ed
146.It LOGIN_SETENV
147Set various environment variables based on values in the user or
148system login class database.
149Class capability tags used with the corresponding environment
150variables set:
151.Bd -literal
152lang          LANG
153charset       MM_CHARSET
154timezone      TZ
155term          TERM
156.Ed
157.Pp
158Additional environment variables may be set using the list type
159capability "setenv=var1 val1,var2 val2..,varN valN".
160.It LOGIN_SETMAC
161Set the MAC label for the current process to the label specified
162in system login class database.
163.It LOGIN_SETCPUMASK
164Create a new
165.Xr cpuset 2
166and set the cpu affinity to the specified mask.
167The string may contain a comma separated list of numbers and/or number
168ranges as handled by the
169.Xr cpuset 1
170utility or the case-insensitive string
171.Ql default .
172If the string is
173.Ql default
174no action will be taken.
175.It LOGIN_SETLOGINCLASS
176Set the login class of the current process using
177.Xr setloginclass 2 .
178.It LOGIN_SETALL
179Enables all of the above settings.
180.El
181.Pp
182Note that when setting environment variables and a valid passwd
183pointer is provided in the
184.Ar pwd
185parameter, the characters
186.Ql \&~
187and
188.Ql \&$
189are substituted for the user's home directory and login name
190respectively.
191.Pp
192The
193.Fn setclasscpumask ,
194.Fn setclassresources
195and
196.Fn setclassenvironment
197functions are subsets of the setcontext functions above, but may
198be useful in isolation.
199.Sh RETURN VALUES
200The
201.Fn setclasscontext
202and
203.Fn setusercontext
204functions return -1 if an error occurred, or 0 on success.
205If an error occurs when attempting to set the user, login, group
206or resources, a message is reported to
207.Xr syslog 3 ,
208with LOG_ERR priority and directed to the currently active facility.
209.Sh SEE ALSO
210.Xr cpuset 1 ,
211.Xr ps 1 ,
212.Xr cpuset 2 ,
213.Xr setgid 2 ,
214.Xr setlogin 2 ,
215.Xr setloginclass 2 ,
216.Xr setuid 2 ,
217.Xr getcap 3 ,
218.Xr initgroups 3 ,
219.Xr login_cap 3 ,
220.Xr mac_set_proc 3 ,
221.Xr login.conf 5 ,
222.Xr termcap 5
223.Sh HISTORY
224The functions
225.Fn setclasscontext ,
226.Fn setclasscpumask ,
227.Fn setclassenvironment ,
228.Fn setclassresources
229and
230.Fn setusercontext
231first appeared in
232.Fx 2.1.5 .
233