From 561d61ca9003b106f692edbd6d4436e480ad2554 Mon Sep 17 00:00:00 2001 From: David Nugent Date: Sun, 5 Jan 1997 03:24:45 +0000 Subject: [PATCH] Add missing manpage for login.conf. --- lib/libutil/login.conf.5 | 361 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 lib/libutil/login.conf.5 diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5 new file mode 100644 index 000000000000..71b5cfb9e263 --- /dev/null +++ b/lib/libutil/login.conf.5 @@ -0,0 +1,361 @@ +.\" Copyright (c) 1996 David Nugent +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, is permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice immediately at the beginning of the file, without modification, +.\" this list of conditions, and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. This work was done expressly for inclusion into FreeBSD. Other use +.\" is permitted provided this notation is included. +.\" 4. Absolutely no warranty of function or purpose is made by the author +.\" David Nugent. +.\" 5. Modifications may be freely made to this file providing the above +.\" conditions are met. +.\" +.\" $Id$ +.\" +.Dd November 22, 1996 +.Dt LOGIN.CONF 5 +.Os FreeBSD +.Sh NAME +.Nm login.conf +.Nd login class capability database +.Sh SYNOPSIS +.Pa /etc/login.conf , +.Pa ~/.login.conf +.Sh DESCRIPTION +login.conf contains various attributes and capabilities of login classes. +A login class (an optional annotation against each record in the user +account database, +.Pa /etc/master.passwd ) +determines session accounting, resource limits and user environment settings. +It is used by various programs in the system to set up a user's login +environment and to enforce policy, accounting and administrative restrictions. +It also provides the means by which users are able to be +authenticated to the system and the types of authentication available. +.Pp +A special record "default" in the system user class capability database +.Pa /etc/login.conf +is used automatically for any +non-root user without a valid login class in +.Pa /etc/master.passwd . +A user with a uid of 0 without a valid login class will use the record +"root" if it exists, or "default" if not. +.Pp +In FreeBSD, users may individually create a file called +.Pa .login.conf +in their home directory using the same format, consisting of a single +entry with a recordid of "me". +If present, this file is used by +.Xr login 1 +to set user-defined environment settings which override those specified +in the system login capabilities database. +Only a subset of login capabilities may be overridden, typically those +which do not involve authentication, resource limits and accounting. +.Pp +Records in a class capabilities database consist of a number of +colon-separated fields. +The first entry for each record gives one or more names that a record is +to be known by, each separated by a '|' character. +The first name is the most common abbreviation. +The last name given should be a long name that is more descriptive +of the capability entry, and all others are synonyms. +All names but the last should be in lower case and contain no blanks; +the last name may contain upper case characters and blanks for +readability. +.Pp +See +.Xr getcap 3 +for a more in-depth description of the format of a capability database. +.Sh CAPABILITIES +Fields within each record in the database follow the +.Xr getcap 3 +conventions for boolean, type string +.Ql \&= +and type numeric +.Ql \&# , +although type numeric is depreciated in favour of the string format and +either form is accepted for a numeric datum. +Values fall into the following categories: +.Bl -tag -width "program" +.It file +Path name to a data file +.It program +Path name to an executable file +.It list +A list of values (or pairs of values) separated by commas or spaces +.It path +A space or comma separated list of path names, following the usual csh +conventions (leading tilde with and without username being expanded to +home directories etc.) +.It number +A numeric value, either decimal (default), hexadecimal (with leading 0x), +or octal (with a leading 0). +With a numeric type, only one numeric value is allowed. +Numeric types may also be specified in string format (ie. the capability +tag being delimited from the value by '=' instead of '#'). +Whichever method is used, then all records in the database must use the +same method to allow values to be correctly overridden in interpolated +records. +.It size +A number which expresses a size. +The default interpretation of a value is the number of bytes, but a +suffix may specify alternate units: +.Bl -tag -offset indent -compact -width xxxx +.It b +explicitly selects 512-byte blocks +.It k +selects kilobytes (1024 bytes) +.It m +specifies a multiplier of 1 megabyte (1038476 bytes), +.It g +specifies units of gigabytes, and +.It t +represents terrabytes. +.El +A size value is a numeric quantity and case of the suffix is not significant. +Concatenated values are added together. +.It time +A period of time, by default in seconds. +A prefix may specify a different unit; +.Bl -tag -offset indent -compact -width xxxx +.It y +indicates the number of 365 day years, +.It w +indicates the number of weeks, +.It d +the number of days, +.It h +the number of minutes, and +.It s +the number of seconds. +.El +Concatenated values are added together. +For example, 2 hours and 40 minutes may be written either as +9600s, 160m or 2h40m. +.El +.Pp +The usual convention to interpolate capability entries using the special +.Em tc=value +notation may be used. +.Pp +.Sh RESOURCE LIMITS +.Bl -column coredumpsize indent indent +.Sy Name Type Notes Description +.It cputime time CPU usage limit. +.It filesize size Maximum file size limit. +.It datasize size Maximum data size limit. +.It stacksize size Maximum stack size limit. +.It coredumpsize size Maximum coredump size limit. +.It memoryuse size Maximum of core memory use size limit. +.It memorylocked size Maximum locked in core memory size limit. +.It maxproc number Maximum number of processes. +.It openfiles number Maximum number of open files per process. +.El +.Pp +These resource limit entries actually specify both the maximum +and current limits (see +.Xr getrlimit 2 ). +The current (soft) limit is the one normally used, although the user is permitted +to increase the current limit to the maximum (hard) limit. +The maximum and current limits may be specified individually by appending a +-max or -cur to the capability name. +.Pp +.Sh ENVIRONMENT +.Bl -column ignorenologin indent xbinxxusrxbin +.Sy Name Type Notes Description +.It charset string Set $MM_CHARSET environment variable to the specified +value. +.It hushlogin bool false Same as having a ~/.hushlogin file. +.It ignorenologin bool false Login not prevented by nologin. +.It lang string Set $LANG environment variable to the specified value. +.It manpath path Default search path for manpages. +.It nologin file If the file exists it will be displayed and +the login session will be terminated. +.It path path /bin /usr/bin Default search path. +.It priority number Initial priority (nice) level. +.It requirehome bool false Require a valid home directory to login. +.It setenv list A comma-separated list of environment variables and +values to which they are to be set. +.It shell prog Session shell to execute rather than the +shell specified in the passwd file. The SHELL environment variable will +contain the shell specified in the password file. +.It term string su Default terminal type if not able to determine from +other means. +.It timezone string Default value of $TZ environment variable. +.It umask number 022 Initial umask. Should always have a leading 0 to +ensure octal interpretation. +.It welcome file /etc/motd File containing welcome message. +.El +.Pp +.Sh AUTHENTICATION +.Bl -column minpasswordlen indent indent +.Sy Name Type Notes Description +.It minpasswordlen number 6 The minimum length a local password may be. +.\" .It approve program Program to approve login. +.It auth list passwd Allowed authentication styles. The first value is the +default style. +.It auth- list Allowed authentication styles for the +authentication type 'type'. +.It copyright file File containing additional copyright information +.\".It widepasswords bool false Use the wide password format. The wide password +.\" format allows up to 128 significant characters in the password. +.It host.allow list List of remote host wildcards from which users in +the class may access. +.It host.deny list List of remote host wildcards from which users in +the class may not access. +.It times.allow list List of time periods during which +logins are allowed. +.It times.deny list List of time periods during which logins are +disallowed. +.It tty.allow list List of ttys and ttygroups which users +in the class may use for access. +.It tty.deny list List of ttys and ttygroups which users +in the class may not use for access. +.El +.Pp +These fields are intended to be used by +.Xr passwd 1 +and other programs in the login authentication system. +.Pp +Capabilities that set environment variables are scanned for both +.Ql \&~ +and +.Ql \&$ +characters, which are substituted for a user's home directory and name +respectively. +To pass these characters literally into the environment variable, escape +the character by preceding it with a backslash '\\'. +.Pp +The +.Ar host.allow +and +.Ar host.deny +entries are comma separated lists used for checking remote access to the system, +and consist of a list of hostnames and/or IP addresses against which remote +network logins are checked. +Items in these lists may contain wildcards in the form used by shell programs +for wildcard matching (See +.Xr fnmatch 3 +for details on the implementation). +The check on hosts is made against both the remote system's internet address +and hostname (if available). +If both lists are empty or not specified, then logins from any remote host +are allowed. +If host.allow contains one or more hosts, then only remote systems matching +any of the items in that list are allowed to log in. +If host.deny contains one or more hosts, then a login from any matching hosts +will be disallowed. +.Pp +The +.Ar times.allow +and +.Ar times.deny +entries consist of a comma-separated list of time periods during which the users +in a class are allowed to be logged in. +These are expressed as one or more day codes followed by a start and end times +expressed in 24 hour fromat, separated by a hyphen or dash. +For example, MoThSa0200-1300 translates to monday, thursday and saturday between +the hours of 2 am and 1 pm. +If both of these time lists are empty, users in the class are allowed access at +any time. +If +.Ar times.allow +is specified, then logins are only allowed during the periods given. +If +.Ar times.deny +is specified, then logins are denied during the periods given, regardless of whether +one of the periods specified in +.Ar times.allow +applies. +.Pp +Note that +.Xr login 1 +enforces only that the actual login falls within periods allowed by these entries. +Further enforcement over the life of a session requires a separate daemon to +monitor transitions from an allowed period to a non-allowed one. +.Pp +The +.Ar tty.allow +and +.Ar tty.deny +entries contain a comma-separated list of tty devices (without the /dev/ prefix) +that a user in a class may use to access the system, and/or a list of ttygroups +(See +.Xr getttyent 3 +and +.Xr ttys 5 +for information on ttygroups). +If neither entry exists, then the choice of login device used by the user is +unrestricted. +If only +.Ar tty.allow +is specified, then the user is restricted only to ttys in the given +group or device list. +If only +.Ar tty.deny +is specified, then the user is prevented from using the specified devices or +devices in the group. +If both lists are given and are non-empty, the user is restricted to those +devices allowed by tty.allow that are not available by tty.deny. +.Sh ACCOUNTING LIMITS +.Bl -column passwordperiod indent indent +.Sy Name Type Notes Description +.It accounted bool false Enable session time accounting for all users +in this class. +.It autodelete time Time after expiry when account is auto-deleted. +.It bootfull bool false Enable 'boot only if ttygroup is full' strategy +when terminating sessions. +.It daytime time Maximum login time per day. +.It expireperiod time Time for expiry allocation. +.It graceexpire time Grace days for expired account. +.It gracetime time Additional grace login time allowed. +.It host.accounted list List of remote host wildcards from which +login sessions will be accounted. +.It host.exempt list List of remote host wildcards from which +login session accounting is exempted. +.It idletime time Maximum idle time before logout. +.It monthtime time Maximum login time per month. +.It passwordtime time Time for password expiry. +.It refreshtime time New time allowed on account refresh. +.It refreshperiod str How often account time is refreshed. +.It sessiontime time Maximum login time per session. +.It sessionlimit number Maximum number of concurrent +login sessions on ttys in any group. +.It tty.accounted list List of ttys and ttygroups for which +login accounting is active. +.It tty.exempt list List of ttys and ttygroups for which login accounting +is exempt. +.It warnexpire time Advance notice for pending account expiry. +.It warnpassword time Advance notice for pending password expiry. +.It warntime time Advance notice for pending out-of-time. +.It weektime time Maximum login time per week. +.El +.Pp +These fields are used by the time accounting system, which regulates, +controls and records user login access. +.Pp +The +.Ar ttys.accounted +and +.Ar ttys.exempt +fields operate in a similar manner to ttys.allow and ttys.deny as explained +above. +Similarly with the +.Ar host.accounted +and +.Ar host.exempt +lists. +.Sh SEE ALSO +.Xr getcap 3 , +.Xr login_cap 3 , +.Xr login_class 3 , +.Xr getttyent 3 , +.Xr ttys 5 , +.Xr login 1 +