diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@@ -37,6 +37,7 @@
 #include <login_cap.h>
 #include <paths.h>
 #include <pwd.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -384,17 +385,40 @@
  * Private function which takes care of processing
  */
 
-static mode_t
-setlogincontext(login_cap_t *lc, const struct passwd *pwd,
-		mode_t mymask, unsigned long flags)
+static void
+setlogincontext(login_cap_t *lc, const struct passwd *pwd, unsigned long flags)
 {
     if (lc) {
 	/* Set resources */
 	if (flags & LOGIN_SETRESOURCES)
 	    setclassresources(lc);
 	/* See if there's a umask override */
-	if (flags & LOGIN_SETUMASK)
-	    mymask = (mode_t)login_getcapnum(lc, "umask", mymask, mymask);
+	if (flags & LOGIN_SETUMASK) {
+	    /*
+	     * Make it unlikely that someone would input our default sentinel
+	     * indicating no specification.
+	     */
+	    const rlim_t def_val = INT64_MIN + 1, err_val = INT64_MIN;
+	    const rlim_t val = login_getcapnum(lc, "umask", def_val, err_val);
+
+	    if (val != def_val) {
+		if (val < 0 || val > UINT16_MAX) {
+		    /* We get here also on 'err_val'. */
+		    syslog(LOG_WARNING,
+			"%s%s%sLogin class '%s': "
+			"Invalid umask specification: '%s'",
+			pwd ? "Login '" : "",
+			pwd ? pwd->pw_name : "",
+			pwd ? "': " : "",
+			lc->lc_class,
+			login_getcapstr(lc, "umask", "", ""));
+		} else {
+		    const mode_t mode = val;
+
+		    umask(mode);
+		}
+	    }
+	}
 	/* Set paths */
 	if (flags & LOGIN_SETPATH)
 	    setclassenvironment(lc, pwd, 1);
@@ -405,7 +429,6 @@
 	if (flags & LOGIN_SETCPUMASK)
 	    setclasscpumask(lc);
     }
-    return (mymask);
 }
 
 
@@ -428,7 +451,6 @@
 setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned int flags)
 {
     rlim_t	p;
-    mode_t	mymask;
     login_cap_t *llc = NULL;
     struct rtprio rtp;
     int error;
@@ -532,8 +554,7 @@
 	}
     }
 
-    mymask = (flags & LOGIN_SETUMASK) ? umask(LOGIN_DEFUMASK) : 0;
-    mymask = setlogincontext(lc, pwd, mymask, flags);
+    setlogincontext(lc, pwd, flags);
     login_close(llc);
 
     /* This needs to be done after anything that needs root privs */
@@ -546,13 +567,9 @@
      * Now, we repeat some of the above for the user's private entries
      */
     if (geteuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
-	mymask = setlogincontext(lc, pwd, mymask, flags);
+	setlogincontext(lc, pwd, flags);
 	login_close(lc);
     }
 
-    /* Finally, set any umask we've found */
-    if (flags & LOGIN_SETUMASK)
-	umask(mymask);
-
     return (0);
 }