xref: /freebsd/lib/libutil/login_class.3 (revision d6b92ffa) 
1.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, is permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice immediately at the beginning of the file, without modification,
9.\"    this list of conditions, and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
14.\"    is permitted provided this notation is included.
15.\" 4. Absolutely no warranty of function or purpose is made by the author
16.\"    David Nugent.
17.\" 5. Modifications may be freely made to this file providing the above
18.\"    conditions are met.
19.\"
20.\" $FreeBSD$
21.\"
22.Dd March 24, 2011
23.Dt LOGIN_CLASS 3
24.Os
25.Sh NAME
26.Nm setclasscontext ,
27.Nm setclasscpumask ,
28.Nm setclassenvironment ,
29.Nm setclassresources ,
30.Nm setusercontext
31.Nd "functions for using the login class capabilities database"
32.Sh LIBRARY
33.Lb libutil
34.Sh SYNOPSIS
35.In sys/types.h
36.In login_cap.h
37.Ft int
38.Fn setclasscontext "const char *classname" "unsigned int flags"
39.Ft void
40.Fn setclasscpumask "login_cap_t *lc"
41.Ft void
42.Fn setclassenvironment "login_cap_t *lc" "const struct passwd *pwd" "int paths"
43.Ft void
44.Fn setclassresources "login_cap_t *lc"
45.Ft int
46.Fn setusercontext "login_cap_t *lc" "const struct passwd *pwd" "uid_t uid" "unsigned int flags"
47.Sh DESCRIPTION
48These functions provide a higher level interface to the login class
49database than those documented in
50.Xr login_cap 3 .
51These functions are used to set resource limits, environment and
52accounting settings for users on logging into the system and when
53selecting an appropriate set of environment and resource settings
54for system daemons based on login classes.
55These functions may only be called if the current process is
56running with root privileges.
57If the LOGIN_SETLOGIN flag is used this function calls
58.Xr setlogin 2 ,
59and due care must be taken as detailed in the manpage for that
60function and this affects all processes running in the same session
61and not just the current process.
62.Pp
63The
64.Fn setclasscontext
65function sets various class context values (resource limits, umask and
66process priorities) based on values for a specific named class.
67.Pp
68The
69.Fn setusercontext
70function sets class context values based on a given login_cap_t
71object and a specific passwd record (if login_cap_t is NULL),
72the current session's login, and the current process
73user and group ownership.
74Each of these actions is selectable via bit-flags passed
75in the
76.Ar flags
77parameter, which is comprised of one or more of the following:
78.Bl -tag -width LOGIN_SETLOGINCLASS
79.It LOGIN_SETLOGIN
80Set the login associated with the current session to the user
81specified in the passwd structure using
82.Xr setlogin 2 .
83The
84.Ar pwd
85parameter must not be NULL if this option is used.
86.It LOGIN_SETUSER
87Set ownership of the current process to the uid specified in the
88.Ar uid
89parameter using
90.Xr setuid 2 .
91.It LOGIN_SETGROUP
92Set group ownership of the current process to the group id
93specified in the passwd structure using
94.Xr setgid 2 ,
95and calls
96.Xr initgroups 3
97to set up the group access list for the current process.
98The
99.Ar pwd
100parameter must not be NULL if this option is used.
101.It LOGIN_SETRESOURCES
102Set resource limits for the current process based on values
103specified in the system login class database.
104Class capability tags used, with and without -cur (soft limit)
105or -max (hard limit) suffixes and the corresponding resource
106setting:
107.Bd -literal
108cputime          RLIMIT_CPU
109filesize         RLIMIT_FSIZE
110datasize         RLIMIT_DATA
111stacksize        RLIMIT_STACK
112coredumpsize     RLIMIT_CORE
113memoryuse        RLIMIT_RSS
114memorylocked     RLIMIT_MEMLOCK
115maxproc          RLIMIT_NPROC
116openfiles        RLIMIT_NOFILE
117sbsize           RLIMIT_SBSIZE
118vmemoryuse       RLIMIT_VMEM
119pseudoterminals  RLIMIT_NPTS
120swapuse          RLIMIT_SWAP
121kqueues          RLIMIT_KQUEUES
122umtxp            RLIMIT_UMTXP
123.Ed
124.It LOGIN_SETPRIORITY
125Set the scheduling priority for the current process based on the
126value specified in the system login class database.
127Class capability tags used:
128.Bd -literal
129priority
130.Ed
131.It LOGIN_SETUMASK
132Set the umask for the current process to a value in the user or
133system login class database.
134Class capability tags used:
135.Bd -literal
136umask
137.Ed
138.It LOGIN_SETPATH
139Set the "path" and "manpath" environment variables based on values
140in the user or system login class database.
141Class capability tags used with the corresponding environment
142variables set:
143.Bd -literal
144path          PATH
145manpath       MANPATH
146.Ed
147.It LOGIN_SETENV
148Set various environment variables based on values in the user or
149system login class database.
150Class capability tags used with the corresponding environment
151variables set:
152.Bd -literal
153lang          LANG
154charset       MM_CHARSET
155timezone      TZ
156term          TERM
157.Ed
158.Pp
159Additional environment variables may be set using the list type
160capability "setenv=var1 val1,var2 val2..,varN valN".
161.It LOGIN_SETMAC
162Set the MAC label for the current process to the label specified
163in system login class database.
164.It LOGIN_SETCPUMASK
165Create a new
166.Xr cpuset 2
167and set the cpu affinity to the specified mask.
168The string may contain a comma separated list of numbers and/or number
169ranges as handled by the
170.Xr cpuset 1
171utility or the case-insensitive string
172.Ql default .
173If the string is
174.Ql default
175no action will be taken.
176.It LOGIN_SETLOGINCLASS
177Set the login class of the current process using
178.Xr setloginclass 2 .
179.It LOGIN_SETALL
180Enables all of the above settings.
181.El
182.Pp
183Note that when setting environment variables and a valid passwd
184pointer is provided in the
185.Ar pwd
186parameter, the characters
187.Ql \&~
188and
189.Ql \&$
190are substituted for the user's home directory and login name
191respectively.
192.Pp
193The
194.Fn setclasscpumask ,
195.Fn setclassresources
196and
197.Fn setclassenvironment
198functions are subsets of the setcontext functions above, but may
199be useful in isolation.
200.Sh RETURN VALUES
201The
202.Fn setclasscontext
203and
204.Fn setusercontext
205functions return -1 if an error occurred, or 0 on success.
206If an error occurs when attempting to set the user, login, group
207or resources, a message is reported to
208.Xr syslog 3 ,
209with LOG_ERR priority and directed to the currently active facility.
210.Sh SEE ALSO
211.Xr cpuset 1 ,
212.Xr ps 1 ,
213.Xr cpuset 2 ,
214.Xr setgid 2 ,
215.Xr setlogin 2 ,
216.Xr setloginclass 2 ,
217.Xr setuid 2 ,
218.Xr getcap 3 ,
219.Xr initgroups 3 ,
220.Xr login_cap 3 ,
221.Xr mac_set_proc 3 ,
222.Xr login.conf 5 ,
223.Xr termcap 5
224