Add missing manpage for login.conf.

svn path=/head/; revision=21316

lib/libutil/login.conf.5

@@ -0,0 +1,361 @@
+.\" Copyright (c) 1996 David Nugent <davidn@blaze.net.au>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, is permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice immediately at the beginning of the file, without modification,
+.\"    this list of conditions, and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
+.\"    is permitted provided this notation is included.
+.\" 4. Absolutely no warranty of function or purpose is made by the author
+.\"    David Nugent.
+.\" 5. Modifications may be freely made to this file providing the above
+.\"    conditions are met.
+.\"
+.\" $Id$
+.\"
+.Dd November 22, 1996
+.Dt LOGIN.CONF 5
+.Os FreeBSD
+.Sh NAME
+.Nm login.conf
+.Nd login class capability database
+.Sh SYNOPSIS
+.Pa /etc/login.conf ,
+.Pa ~/.login.conf
+.Sh DESCRIPTION
+login.conf contains various attributes and capabilities of login classes.
+A login class (an optional annotation against each record in the user
+account database,
+.Pa /etc/master.passwd )
+determines session accounting, resource limits and user environment settings.
+It is used by various programs in the system to set up a user's login
+environment and to enforce policy, accounting and administrative restrictions.
+It also provides the means by which users are able to be
+authenticated to the system and the types of authentication available.
+.Pp
+A special record "default" in the system user class capability database
+.Pa /etc/login.conf
+is used automatically for any
+non-root user without a valid login class in
+.Pa /etc/master.passwd .
+A user with a uid of 0 without a valid login class will use the record
+"root" if it exists, or "default" if not.
+.Pp
+In FreeBSD, users may individually create a file called
+.Pa .login.conf
+in their home directory using the same format, consisting of a single
+entry with a recordid of "me".
+If present, this file is used by
+.Xr login 1
+to set user-defined environment settings which override those specified
+in the system login capabilities database.
+Only a subset of login capabilities may be overridden, typically those
+which do not involve authentication, resource limits and accounting.
+.Pp
+Records in a class capabilities database consist of a number of
+colon-separated fields.
+The first entry for each record gives one or more names that a record is
+to be known by, each separated by a '|' character.
+The first name is the most common abbreviation.
+The last name given should be a long name that is more descriptive
+of the capability entry, and all others are synonyms.
+All names but the last should be in lower case and contain no blanks;
+the last name may contain upper case characters and blanks for
+readability.
+.Pp
+See
+.Xr getcap 3
+for a more in-depth description of the format of a capability database.
+.Sh CAPABILITIES
+Fields within each record in the database follow the
+.Xr getcap 3
+conventions for boolean, type string
+.Ql \&= 
+and type numeric
+.Ql \&# ,
+although type numeric is depreciated in favour of the string format and
+either form is accepted for a numeric datum.
+Values fall into the following categories:
+.Bl -tag -width "program"
+.It file
+Path name to a data file
+.It program
+Path name to an executable file
+.It list
+A list of values (or pairs of values) separated by commas or spaces
+.It path
+A space or comma separated list of path names, following the usual csh
+conventions (leading tilde with and without username being expanded to
+home directories etc.)
+.It number
+A numeric value, either decimal (default), hexadecimal (with leading 0x),
+or octal (with a leading 0).
+With a numeric type, only one numeric value is allowed.
+Numeric types may also be specified in string format (ie. the capability
+tag being delimited from the value by '=' instead of '#').
+Whichever method is used, then all records in the database must use the
+same method to allow values to be correctly overridden in interpolated
+records.
+.It size
+A number which expresses a size.
+The default interpretation of a value is the number of bytes, but a
+suffix may specify alternate units:
+.Bl -tag -offset indent -compact -width xxxx
+.It b
+explicitly selects 512-byte blocks
+.It k
+selects kilobytes (1024 bytes)
+.It m
+specifies a multiplier of 1 megabyte (1038476 bytes),
+.It g
+specifies units of gigabytes, and
+.It t
+represents terrabytes.
+.El
+A size value is a numeric quantity and case of the suffix is not significant.
+Concatenated values are added together.
+.It time
+A period of time, by default in seconds.
+A prefix may specify a different unit;
+.Bl -tag -offset indent -compact -width xxxx
+.It y
+indicates the number of 365 day years,
+.It w
+indicates the number of weeks,
+.It d
+the number of days,
+.It h
+the number of minutes, and
+.It s
+the number of seconds.
+.El
+Concatenated values are added together.
+For example, 2 hours and 40 minutes may be written either as
+9600s, 160m or 2h40m.
+.El
+.Pp
+The usual convention to interpolate capability entries using the special
+.Em tc=value
+notation may be used.
+.Pp
+.Sh RESOURCE LIMITS
+.Bl -column coredumpsize indent indent
+.Sy Name	Type	Notes	Description
+.It cputime	time		CPU usage limit.
+.It filesize	size		Maximum file size limit.
+.It datasize	size		Maximum data size limit.
+.It stacksize	size		Maximum stack size limit.
+.It coredumpsize	size		Maximum coredump size limit.
+.It memoryuse	size		Maximum of core memory use size limit.
+.It memorylocked	size		Maximum locked in core memory size limit.
+.It maxproc	number		Maximum number of processes.
+.It openfiles	number		Maximum number of open files per process.
+.El
+.Pp
+These resource limit entries actually specify both the maximum
+and current limits (see
+.Xr getrlimit 2 ).
+The current (soft) limit is the one normally used, although the user is permitted
+to increase the current limit to the maximum (hard) limit.
+The maximum and current limits may be specified individually by appending a
+-max or -cur to the capability name.
+.Pp
+.Sh ENVIRONMENT
+.Bl -column ignorenologin indent xbinxxusrxbin
+.Sy Name	Type	Notes	Description
+.It charset	string		Set $MM_CHARSET environment variable to the specified
+value.
+.It hushlogin	bool	false	Same as having a ~/.hushlogin file.
+.It ignorenologin	bool	false	Login not prevented by nologin.
+.It lang	string		Set $LANG environment variable to the specified value.
+.It manpath	path		Default search path for manpages.
+.It nologin	file		If the file exists it will be displayed and
+the login session will be terminated.
+.It path	path	/bin /usr/bin	Default search path.
+.It priority	number		Initial priority (nice) level.
+.It requirehome 	bool	false	Require a valid home directory to login.
+.It setenv	list		A comma-separated list of environment variables and
+values to which they are to be set.
+.It shell	prog		Session shell to execute rather than the
+shell specified in the passwd file. The SHELL environment variable will
+contain the shell specified in the password file.
+.It term	string	su	Default terminal type if not able to determine from
+other means.
+.It timezone	string		Default value of $TZ environment variable.
+.It umask	number	022	Initial umask. Should always have a leading 0 to
+ensure octal interpretation.
+.It welcome	file	/etc/motd	File containing welcome message.
+.El
+.Pp
+.Sh AUTHENTICATION
+.Bl -column minpasswordlen indent indent
+.Sy Name	Type	Notes	Description
+.It minpasswordlen	number	6	The minimum length a local password may be.
+.\" .It approve	program 	Program to approve login.
+.It auth	list	passwd	Allowed authentication styles. The first value is the
+default style.
+.It auth-<type>	list		Allowed authentication styles for the
+authentication type 'type'.
+.It copyright	file		File containing additional copyright information
+.\".It widepasswords	bool	false	Use the wide password format. The wide password
+.\" format allows up to 128 significant characters in the password.
+.It host.allow	list		List of remote host wildcards from which users in
+the class may access.
+.It host.deny	list		List of remote host wildcards from which users in
+the class may not access.
+.It times.allow 	list		List of time periods during which
+logins are allowed.
+.It times.deny	list		List of time periods during which logins are
+disallowed.
+.It tty.allow	list		List of ttys and ttygroups which users
+in the class may use for access.
+.It tty.deny	list		List of ttys and ttygroups which users
+in the class may not use for access.
+.El
+.Pp
+These fields are intended to be used by
+.Xr passwd 1
+and other programs in the login authentication system.
+.Pp
+Capabilities that set environment variables are scanned for both
+.Ql \&~
+and
+.Ql \&$
+characters, which are substituted for a user's home directory and name
+respectively.
+To pass these characters literally into the environment variable, escape
+the character by preceding it with a backslash '\\'.
+.Pp
+The
+.Ar host.allow
+and
+.Ar host.deny
+entries are comma separated lists used for checking remote access to the system,
+and consist of a list of hostnames and/or IP addresses against which remote
+network logins are checked.
+Items in these lists may contain wildcards in the form used by shell programs
+for wildcard matching (See
+.Xr fnmatch 3
+for details on the implementation).
+The check on hosts is made against both the remote system's internet address
+and hostname (if available).
+If both lists are empty or not specified, then logins from any remote host
+are allowed.
+If host.allow contains one or more hosts, then only remote systems matching
+any of the items in that list are allowed to log in.
+If host.deny contains one or more hosts, then a login from any matching hosts
+will be disallowed.
+.Pp
+The
+.Ar times.allow
+and
+.Ar times.deny
+entries consist of a comma-separated list of time periods during which the users
+in a class are allowed to be logged in.
+These are expressed as one or more day codes followed by a start and end times
+expressed in 24 hour fromat, separated by a hyphen or dash.
+For example, MoThSa0200-1300 translates to monday, thursday and saturday between
+the hours of 2 am and 1 pm.
+If both of these time lists are empty, users in the class are allowed access at
+any time.
+If
+.Ar times.allow
+is specified, then logins are only allowed during the periods given.
+If
+.Ar times.deny
+is specified, then logins are denied during the periods given, regardless of whether
+one of the periods specified in
+.Ar times.allow
+applies.
+.Pp
+Note that
+.Xr login 1
+enforces only that the actual login falls within periods allowed by these entries.
+Further enforcement over the life of a session requires a separate daemon to
+monitor transitions from an allowed period to a non-allowed one.
+.Pp
+The
+.Ar tty.allow
+and
+.Ar tty.deny
+entries contain a comma-separated list of tty devices (without the /dev/ prefix)
+that a user in a class may use to access the system, and/or a list of ttygroups
+(See
+.Xr getttyent 3
+and
+.Xr ttys 5
+for information on ttygroups).
+If neither entry exists, then the choice of login device used by the user is
+unrestricted.
+If only
+.Ar tty.allow
+is specified, then the user is restricted only to ttys in the given
+group or device list.
+If only
+.Ar tty.deny
+is specified, then the user is prevented from using the specified devices or
+devices in the group.
+If both lists are given and are non-empty, the user is restricted to those
+devices allowed by tty.allow that are not available by tty.deny.
+.Sh ACCOUNTING LIMITS
+.Bl -column passwordperiod indent indent
+.Sy Name	Type	Notes	Description
+.It accounted	bool	false	Enable session time accounting for all users
+in this class.
+.It autodelete	time		Time after expiry when account is auto-deleted.
+.It bootfull	bool	false	Enable 'boot only if ttygroup is full' strategy
+when terminating sessions.
+.It daytime	time		Maximum login time per day.
+.It expireperiod	time		Time for expiry allocation.
+.It graceexpire 	time		Grace days for expired account.
+.It gracetime	time		Additional grace login time allowed.
+.It host.accounted	list		List of remote host wildcards from which
+login sessions will be accounted.
+.It host.exempt 	list		List of remote host wildcards from which
+login session accounting is exempted.
+.It idletime	time		Maximum idle time before logout.
+.It monthtime 	time		Maximum login time per month.
+.It passwordtime	time		Time for password expiry.
+.It refreshtime 	time		New time allowed on account refresh.
+.It refreshperiod	str		How often account time is refreshed.
+.It sessiontime 	time		Maximum login time per session.
+.It sessionlimit	number		Maximum number of concurrent
+login sessions on ttys in any group.
+.It tty.accounted	list		List of ttys and ttygroups for which
+login accounting is active.
+.It tty.exempt	list		List of ttys and ttygroups for which login accounting
+is exempt.
+.It warnexpire	time		Advance notice for pending account expiry.
+.It warnpassword	time		Advance notice for pending password expiry.
+.It warntime	time		Advance notice for pending out-of-time.
+.It weektime	time		Maximum login time per week.
+.El
+.Pp
+These fields are used by the time accounting system, which regulates,
+controls and records user login access.
+.Pp
+The
+.Ar ttys.accounted
+and
+.Ar ttys.exempt
+fields operate in a similar manner to ttys.allow and ttys.deny as explained
+above.
+Similarly with the
+.Ar host.accounted
+and
+.Ar host.exempt
+lists.
+.Sh SEE ALSO
+.Xr getcap 3 ,
+.Xr login_cap 3 ,
+.Xr login_class 3 ,
+.Xr getttyent 3 ,
+.Xr ttys 5 ,
+.Xr login 1 
+