Date: Thu, 28 Sep 2023 13:27:51 GMT From: Lorenzo Salvadore <salvadore@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: b627b8a0de - main - Status/2023Q3/login_classes.adoc: Add report Message-ID: <202309281327.38SDRpW3072004@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=b627b8a0def61566ad3b9963a76e9be31f2d0ac3 commit b627b8a0def61566ad3b9963a76e9be31f2d0ac3 Author: Olivier Certner <olce.freebsd@certner.fr> AuthorDate: 2023-09-28 12:39:41 +0000 Commit: Lorenzo Salvadore <salvadore@FreeBSD.org> CommitDate: 2023-09-28 12:42:21 +0000 Status/2023Q3/login_classes.adoc: Add report Differential Revision: https://reviews.freebsd.org/D41996 --- .../report-2023-07-2023-09/login_classes.adoc | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/website/content/en/status/report-2023-07-2023-09/login_classes.adoc b/website/content/en/status/report-2023-07-2023-09/login_classes.adoc new file mode 100644 index 0000000000..d7158bcac7 --- /dev/null +++ b/website/content/en/status/report-2023-07-2023-09/login_classes.adoc @@ -0,0 +1,37 @@ +=== Login Classes Fixes and Improvements + +Links: + +link:https://reviews.freebsd.org/D40339[Start of the reviews stack] URL: link:https://reviews.freebsd.org/D40339[] + +Contact: Olivier Certner <olce.freebsd.statusreports@certner.fr> + +==== Context + +Login classes are a mechanism mainly used to set various process properties and attributes at login, depending on the user logging in and the login class he is a member of. +A login class typically specifies resource limits, environment variables and process properties such as scheduling priority and umask. +See man:login.conf[5] for more information. + +==== Changes + +The `priority` and `umask` capabilities now accept the `inherit` special value to explicitly request property inheritance from the login process. +This is useful, e.g., when temporarily logging in as another user from a process with a non-default priority to ensure that processes launched by this user still have the same priority level. + +Users can now override the global setting for the `priority` capability (in [.filename]#/etc/login.conf#) in their local configuration file ([.filename]#~/.login_conf#). +Note however that they cannot increase their priority if they are not privileged, and that using `inherit` in this context makes no sense since the global setting is always applied first. + +Fixes: + +- Fix a bug where, when the `priority` capability specifies a realtime priority, the final priority used was off-by-one (and the numerically highest priority in the real time class (31) could never be set). +- Security: Prevent a setuid/setgid process from applying directives from some user's [.filename]#~/.login_conf# (directives there that cannot be applied because of a lack of privileges could suddenly become applicable in such a process). + +We have also updated the relevant manual pages to reflect the new functionality and improved the description of the `priority` and `umask` capabilities in man:login.conf[5]. + +==== Status + +Some of the patches in the series have been reviewed thanks to mailto:kib@FreeBSD.org[Konstantin Belousov] and mailto:imp@FreeBSD.org[Warner Losh]. +Other patches are waiting for reviews (and reviewers, volunteers welcome!) which are not expected to be labored ones. + +We plan to improve consistency by deprecating the priority reset to 0 when no value for the capability `priority` is explicitly specified, which has been the case for `umask` for 15+ years. + +Sponsor: Kumacom SAS (for development work) + +Sponsor: The FreeBSD Foundation (for some reviews)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202309281327.38SDRpW3072004>