Index: lib/libutil/login.conf.5
===================================================================
--- lib/libutil/login.conf.5
+++ lib/libutil/login.conf.5
@@ -19,7 +19,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 8, 2011
+.Dd January 19, 2020
 .Dt LOGIN.CONF 5
 .Os
 .Sh NAME
@@ -237,6 +237,7 @@
 .It "label	string		Default MAC policy; see"
 .Xr maclabel 7 .
 .It "lang	string		Set $LANG environment variable to the specified value."
+.It "mail	string		Set $MAIL environment variable to the specified value."
 .It "manpath	path		Default search path for manpages."
 .It "nocheckmail	bool	false	Display mail status at login."
 .It "nologin	file		If the file exists it will be displayed and"
Index: lib/libutil/login_class.c
===================================================================
--- lib/libutil/login_class.c
+++ lib/libutil/login_class.c
@@ -131,6 +131,7 @@
 }, envars[] = {
     { "lang",           "LANG",       NULL, 1},
     { "charset",        "MM_CHARSET", NULL, 1},
+    { "mail",           "MAIL",       NULL, 1},
     { "timezone",       "TZ",         NULL, 1},
     { "term",           "TERM",       NULL, 0},
     { NULL,             NULL,         NULL, 0}
Index: sbin/init/init.c
===================================================================
--- sbin/init/init.c
+++ sbin/init/init.c
@@ -2053,6 +2053,7 @@
 	login_cap_t *lc;
 	if ((lc = login_getclassbyname(cname, NULL)) != NULL) {
 		setusercontext(lc, (struct passwd*)NULL, 0,
+		    LOGIN_SETENV |
 		    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES |
 		    LOGIN_SETLOGINCLASS | LOGIN_SETCPUMASK);
 		login_close(lc);
Index: usr.bin/env/Makefile
===================================================================
--- usr.bin/env/Makefile
+++ usr.bin/env/Makefile
@@ -4,4 +4,6 @@
 PROG=	env
 SRCS=	env.c envopts.c
 
+LIBADD=	util
+
 .include <bsd.prog.mk>
Index: usr.bin/env/env.1
===================================================================
--- usr.bin/env/env.1
+++ usr.bin/env/env.1
@@ -31,7 +31,7 @@
 .\" From FreeBSD: src/usr.bin/printenv/printenv.1,v 1.17 2002/11/26 17:33:35 ru Exp
 .\" $FreeBSD$
 .\"
-.Dd November 7, 2019
+.Dd January 19, 2020
 .Dt ENV 1
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl 0iv
+.Op Fl L Ns | Ns Fl U Ar user Ns Op / Ns Ar class
 .Op Fl P Ar altpath
 .Op Fl S Ar string
 .Op Fl u Ar name
@@ -76,6 +77,28 @@
 by
 .Nm
 is ignored completely.
+.\"	-L | -U
+.It Fl L | Fl U Ar user Ns Op / Ns Ar class
+Add the environment variable definitions from
+.Xr login.conf 5
+for the specified user and login class to the environment, after
+processing any
+.Fl i
+or
+.Fl u
+options, but before processing any
+.Ar name Ns = Ns Ar value
+options.
+If
+.Fl L
+is used, only the system-wide
+.Pa /etc/login.conf.db
+file is read; if
+.Fl U
+is used, then the specified user's
+.Pa ~/.login_conf
+is read as well.
+The user may be specified by name or by uid.
 .\"	-P
 .It Fl P Ar altpath
 Search the set of directories as specified by
@@ -450,6 +473,7 @@
 .Xr printenv 1 ,
 .Xr sh 1 ,
 .Xr execvp 3 ,
+.Xr login.conf 5 ,
 .Xr environ 7
 .Sh STANDARDS
 The
@@ -457,7 +481,7 @@
 utility conforms to
 .St -p1003.1-2001 .
 The
-.Fl P , S , u
+.Fl 0 , L , P , S , U , u
 and
 .Fl v
 options are non-standard extensions supported by
@@ -474,6 +498,12 @@
 .Fl v
 options were added in
 .Fx 6.0 .
+The
+.Fl 0 , L
+and
+.Fl U
+options were added in
+.Fx 13.0 .
 .Sh BUGS
 The
 .Nm
Index: usr.bin/env/env.c
===================================================================
--- usr.bin/env/env.c
+++ usr.bin/env/env.c
@@ -44,11 +44,16 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include <sys/types.h>
+
 #include <err.h>
 #include <errno.h>
+#include <login_cap.h>
+#include <pwd.h>
+#include <stdbool.h>
 #include <stdio.h>
-#include <string.h>
 #include <stdlib.h>
+#include <string.h>
 #include <unistd.h>
 
 #include "envopts.h"
@@ -71,13 +76,23 @@
 {
 	char *altpath, **ep, *p, **parg, term;
 	char *cleanenv[1];
+	char *login_class, *login_name;
+	struct passwd *pw;
+	login_cap_t *lc;
+	bool login_as_user;
+	uid_t uid;
 	int ch, want_clear;
 	int rtrn;
 
 	altpath = NULL;
+	login_class = NULL;
+	login_name = NULL;
+	pw = NULL;
+	lc = NULL;
+	login_as_user = false;
 	want_clear = 0;
 	term = '\n';
-	while ((ch = getopt(argc, argv, "-0iP:S:u:v")) != -1)
+	while ((ch = getopt(argc, argv, "-0iL:P:S:U:u:v")) != -1)
 		switch(ch) {
 		case '-':
 		case 'i':
@@ -86,6 +101,12 @@
 		case '0':
 			term = '\0';
 			break;
+		case 'U':
+			login_as_user = true;
+			/* FALLTHROUGH */
+		case 'L':
+			login_name = optarg;
+			break;
 		case 'P':
 			altpath = strdup(optarg);
 			break;
@@ -119,6 +140,48 @@
 		if (env_verbosity)
 			fprintf(stderr, "#env clearing environ\n");
 	}
+	if (login_name != NULL) {
+		login_class = strchr(login_name, '/');
+		if (login_class)
+			*login_class++ = '\0';
+		pw = getpwnam(login_name);
+		if (pw == NULL) {
+			char *endp = NULL;
+			errno = 0;
+			uid = strtoul(login_name, &endp, 10);
+			if (errno == 0 && *endp == '\0')
+				pw = getpwuid(uid);
+		}
+		if (pw == NULL)
+			errx(EXIT_FAILURE, "no such user: %s", login_name);
+		if (login_class != NULL) {
+			lc = login_getclass(login_class);
+			if (lc == NULL)
+				errx(EXIT_FAILURE, "no such login class: %s",
+				    login_class);
+		} else {
+			lc = login_getpwclass(pw);
+			if (lc == NULL)
+				errx(EXIT_FAILURE, "login_getpwclass failed");
+		}
+
+		/*
+		 * This is not done with setusercontext() because that will
+		 * try and use ~/.login_conf even when we don't want it to.
+		 */
+		setclassenvironment(lc, pw, 1);
+		setclassenvironment(lc, pw, 0);
+		if (login_as_user) {
+			login_close(lc);
+			if ((lc = login_getuserclass(pw)) != NULL) {
+				setclassenvironment(lc, pw, 1);
+				setclassenvironment(lc, pw, 0);
+			}
+		}
+		endpwent();
+		if (lc != NULL)
+			login_close(lc);
+	}
 	for (argv += optind; *argv && (p = strchr(*argv, '=')); ++argv) {
 		if (env_verbosity)
 			fprintf(stderr, "#env setenv:\t%s\n", *argv);
@@ -154,7 +217,7 @@
 usage(void)
 {
 	(void)fprintf(stderr,
-	    "usage: env [-0iv] [-P utilpath] [-S string] [-u name]\n"
+	    "usage: env [-0iv] [-L|-U user[/class]] [-P utilpath] [-S string] [-u name]\n"
 	    "           [name=value ...] [utility [argument ...]]\n");
 	exit(1);
 }
Index: usr.bin/login/login.conf
===================================================================
--- usr.bin/login/login.conf
+++ usr.bin/login/login.conf
@@ -26,7 +26,8 @@
 	:passwd_format=sha512:\
 	:copyright=/etc/COPYRIGHT:\
 	:welcome=/var/run/motd:\
-	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
+	:setenv=BLOCKSIZE=K:\
+	:mail=/var/mail/$:\
 	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
 	:nologin=/var/run/nologin:\
 	:cputime=unlimited:\
@@ -61,6 +62,8 @@
 staff:\
 	:tc=default:
 daemon:\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\
+	:mail@:\
 	:memorylocked=128M:\
 	:tc=default:
 news:\
Index: usr.sbin/cron/cron/do_command.c
===================================================================
--- usr.sbin/cron/cron/do_command.c
+++ usr.sbin/cron/cron/do_command.c
@@ -43,6 +43,8 @@
 
 static WAIT_T		wait_on_child(PID_T, const char *);
 
+extern char	*environ;
+
 void
 do_command(e, u)
 	entry	*e;
@@ -285,9 +287,11 @@
 		 */
 		do_univ(u);
 
+		environ = NULL;
+
 # if defined(LOGIN_CAP)
-		/* Set user's entire context, but skip the environment
-		 * as cron provides a separate interface for this
+		/* Set user's entire context, but note that PATH will
+		 * be overridden later
 		 */
 		if ((pwd = getpwnam(usernm)) == NULL)
 			pwd = getpwuid(e->uid);
@@ -299,7 +303,7 @@
 		}
 		if (pwd &&
 		    setusercontext(lc, pwd, e->uid,
-			    LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETENV)) == 0)
+			    LOGIN_SETALL) == 0)
 			(void) endpwent();
 		else {
 			/* fall back to the old method */
@@ -342,6 +346,18 @@
 		 */
 		{
 			char	*shell = env_get("SHELL", e->envp);
+			char	**p;
+
+			/* Apply the environment from the entry, overriding existing
+			 * values (this will always set PATH, LOGNAME, etc.) putenv
+			 * should not fail unless malloc does.
+			 */
+			for (p = e->envp; *p; ++p) {
+				if (putenv(*p) != 0) {
+					warn("putenv");
+					_exit(ERROR_EXIT);
+				}
+			}
 
 # if DEBUGGING
 			if (DebugFlags & DTEST) {
@@ -352,9 +368,8 @@
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
-			execle(shell, shell, "-c", e->cmd, (char *)NULL,
-			    e->envp);
-			warn("execle: couldn't exec `%s'", shell);
+			execl(shell, shell, "-c", e->cmd, (char *)NULL);
+			warn("execl: couldn't exec `%s'", shell);
 			_exit(ERROR_EXIT);
 		}
 		break;
Index: usr.sbin/cron/crontab/crontab.5
===================================================================
--- usr.sbin/cron/crontab/crontab.5
+++ usr.sbin/cron/crontab/crontab.5
@@ -17,7 +17,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd September 24, 2019
+.Dd January 19, 2020
 .Dt CRONTAB 5
 .Os
 .Sh NAME
@@ -82,10 +82,18 @@
 are set from the
 .Pa /etc/passwd
 line of the crontab's owner.
+In addition, the environment variables of the
+user's login class, with the exception of
+.Ev PATH ,
+will be set from
+.Pa /etc/login.conf.db
+and
+.Pa ~/.login_conf .
 .Ev HOME ,
 .Ev PATH
 and
-.Ev SHELL
+.Ev SHELL ,
+and any variables set from the login class,
 may be overridden by settings in the crontab;
 .Ev LOGNAME
 may not.
Index: usr.sbin/service/service.sh
===================================================================
--- usr.sbin/service/service.sh
+++ usr.sbin/service/service.sh
@@ -165,7 +165,7 @@
 for dir in /etc/rc.d $local_startup; do
 	if [ -x "$dir/$script" ]; then
 		[ -n "$VERBOSE" ] && echo "$script is located in $dir"
-		exec env -i HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin $dir/$script "$@"
+		exec env -i -L 0/daemon HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin "$dir/$script" "$@"
 	fi
 done