Page MenuHomeFreeBSD
Files F142432751

D41996.id127853.diff
No OneTemporary
Actions

D41996.id127853.diff
View Options

Index: website/content/en/status/report-2023-07-2023-09/login_classes.adoc
===================================================================
--- /dev/null
+++ website/content/en/status/report-2023-07-2023-09/login_classes.adoc
@@ -0,0 +1,37 @@
+=== Login Classes Fixes and Improvements
+
+Links: +
+https://reviews.freebsd.org/D40339[Start of the reviews stack] URL: https://reviews.freebsd.org/D40339
+
+Contact: Olivier Certner <olce.freebsd.statusreports@certner.fr>
+
+==== Context
+
+Login classes are a mechanism mainly used to set various process properties and attributes at login, depending on the user logging in and the login class he is a member of.
+A login class typically specifies resource limits, environment variables and process properties such as scheduling priority and umask.
+See man:login.conf[5] for more information.
+
+==== Changes
+
+The `priority` and `umask` capabilities now accept the `inherit` special value to explicitly request property inheritance from the login process.
+This is useful, e.g., when temporarily logging in as another user from a process with a non-default priority to ensure that processes launched by this user still have the same priority level.
+
+Users can now override the global setting for the `priority` capability (in `/etc/login.conf`) in their local configuration file (`~/.login_conf`).
+Note however that they cannot increase their priority if they aren't privileged, and that using `inherit` in this context makes no sense since the global setting is always applied first.
+
+Fixes:
+
+- Fix a bug where, when the `priority` capability specifies a realtime priority, the final priority used was off-by-one (and the numerically highest priority in the real time class (31) could never be set).
+- Security: Prevent a setuid/setgid process from applying directives from some user's `~/.login_conf` (directives there that can't be applied because of a lack of privileges could suddenly become applicable in such a process).
+
+We have also updated the relevant manual pages to reflect the new functionality and improved the description of the `priority` and `umask` capabilities in man:login.conf[5].
+
+==== Status
+
+Part of the patch series has been reviewed thanks to `kib@` and `imp@`.
+We hope to get the series into the tree soon.
+
+We plan to improve consistency by deprecating the priority reset to 0 when no value for the capability `priority` is explicitly specified, which has been the case for `umask` for 15+ years.
+
+Sponsor: Kumacom SAS (for development work) +
+Sponsor: The FreeBSD Foundation (for some of the reviews)

File Metadata

Mime Type
text/plain
Expires
Tue, Jan 20, 10:18 PM (7 h, 16 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27779428
Default Alt Text
D41996.id127853.diff (2 KB)

Event Timeline