From nobody Thu Sep 28 13:27:51 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RxDn35bCdz4tmMg for ; Thu, 28 Sep 2023 13:27:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RxDn35B6nz3NNv; Thu, 28 Sep 2023 13:27:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695907671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ik9ZEcZ78SivfgNFWq4WHXvyM6DrpyCtLq1oaxYIxQQ=; b=hlGaWHBts0nlVHZAzLTj3AXkpAwkzH/v/mt6c9aHjZOYEim3n+bnuUKiJDi4AyDUerfoaL WO9fyY6UyhnKCOuUHyFk++VXu+JKQLz6TjX5pfKcXMSeue6oaB5/dNCT7VTjo2wAAhijid KKDzXughWj18uV+t4HPRklGM+M5tkOyclM3hBvszeJdtBZqhqEIn0f1H6+1BKHDRyKcu0C YwDb+dPaVr0om4D6rDIDEul/rU0Nm5Xam/mT1T6/EKEKCvVTsaMIRMVHoNuhPWGUOdK8Kc 4s+zzxn6zZkTnXnb9noHtdFg6049/g/+Yxy0vyuly06DrRhwMQsPax+H8+J1Rw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1695907671; a=rsa-sha256; cv=none; b=PJmwLvzbdS7JPsrBPjT0As3YI05wak8DfSfQBLleC+TtBtdVSQ6VynZFpZ3QMU8cHQTTiH +OwG5xWLnQ9Tb8rt6rd78CUUTZe/R/bGHP6eje5LxtZyekZWV8nhPKFon42z5Zzm8fWtG7 34sZkrMNRkdvwYvbMzGMMb1lbIDirA8cUgvKaiQ27bHfwTO3J0WpEqMWkdrBIc42ByGtSX jomKRz7CGvVpEza2/Rurb44GTeMTFJk04KsIKSA0hvUC7HU0RLKiaSQpxeOXZaOx4ASWNM z2fJlw8lgOb1dc7Ape9kuITdNIW/9e95pSBPJUiBLUc25F+/Lzi40X6nrI+AxA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695907671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ik9ZEcZ78SivfgNFWq4WHXvyM6DrpyCtLq1oaxYIxQQ=; b=KT2cRel35rBM94fuS6SQGRBUDRkvxi9nj4Ne1yXWDX4W2k0q27H/4+tmbXk/KmrqC4Uyi2 bPorBXpHcUo7bd/GXbVEyJ76EqbHm7HA/KF6CF45baJ4lfSypnp7WTkx5quuGipbso/4ID tWuD6a8oe5U77NeypbGLifXezMpnQb4qC4X3TUhMtwfXpLIRQ7MG84pQtPTHQRy0yGkanA 5E2XvC4o/2gEaNVttqy/AHf0JNcPqHpj/xrkhgFL2EMz7r/V3cap0h8B4DsotiRMVLvOwA WDnW/ZeW13LKtIiyUDaQ0nDIUkd0lJMowC4fliV1TCpmeL8bfnaX4XDyAVqekA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RxDn34Hgpz8MP; Thu, 28 Sep 2023 13:27:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38SDRp1Y072007; Thu, 28 Sep 2023 13:27:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38SDRpW3072004; Thu, 28 Sep 2023 13:27:51 GMT (envelope-from git) Date: Thu, 28 Sep 2023 13:27:51 GMT Message-Id: <202309281327.38SDRpW3072004@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: b627b8a0de - main - Status/2023Q3/login_classes.adoc: Add report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b627b8a0def61566ad3b9963a76e9be31f2d0ac3 Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=b627b8a0def61566ad3b9963a76e9be31f2d0ac3 commit b627b8a0def61566ad3b9963a76e9be31f2d0ac3 Author: Olivier Certner AuthorDate: 2023-09-28 12:39:41 +0000 Commit: Lorenzo Salvadore CommitDate: 2023-09-28 12:42:21 +0000 Status/2023Q3/login_classes.adoc: Add report Differential Revision: https://reviews.freebsd.org/D41996 --- .../report-2023-07-2023-09/login_classes.adoc | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/website/content/en/status/report-2023-07-2023-09/login_classes.adoc b/website/content/en/status/report-2023-07-2023-09/login_classes.adoc new file mode 100644 index 0000000000..d7158bcac7 --- /dev/null +++ b/website/content/en/status/report-2023-07-2023-09/login_classes.adoc @@ -0,0 +1,37 @@ +=== Login Classes Fixes and Improvements + +Links: + +link:https://reviews.freebsd.org/D40339[Start of the reviews stack] URL: link:https://reviews.freebsd.org/D40339[] + +Contact: Olivier Certner + +==== Context + +Login classes are a mechanism mainly used to set various process properties and attributes at login, depending on the user logging in and the login class he is a member of. +A login class typically specifies resource limits, environment variables and process properties such as scheduling priority and umask. +See man:login.conf[5] for more information. + +==== Changes + +The `priority` and `umask` capabilities now accept the `inherit` special value to explicitly request property inheritance from the login process. +This is useful, e.g., when temporarily logging in as another user from a process with a non-default priority to ensure that processes launched by this user still have the same priority level. + +Users can now override the global setting for the `priority` capability (in [.filename]#/etc/login.conf#) in their local configuration file ([.filename]#~/.login_conf#). +Note however that they cannot increase their priority if they are not privileged, and that using `inherit` in this context makes no sense since the global setting is always applied first. + +Fixes: + +- Fix a bug where, when the `priority` capability specifies a realtime priority, the final priority used was off-by-one (and the numerically highest priority in the real time class (31) could never be set). +- Security: Prevent a setuid/setgid process from applying directives from some user's [.filename]#~/.login_conf# (directives there that cannot be applied because of a lack of privileges could suddenly become applicable in such a process). + +We have also updated the relevant manual pages to reflect the new functionality and improved the description of the `priority` and `umask` capabilities in man:login.conf[5]. + +==== Status + +Some of the patches in the series have been reviewed thanks to mailto:kib@FreeBSD.org[Konstantin Belousov] and mailto:imp@FreeBSD.org[Warner Losh]. +Other patches are waiting for reviews (and reviewers, volunteers welcome!) which are not expected to be labored ones. + +We plan to improve consistency by deprecating the priority reset to 0 when no value for the capability `priority` is explicitly specified, which has been the case for `umask` for 15+ years. + +Sponsor: Kumacom SAS (for development work) + +Sponsor: The FreeBSD Foundation (for some reviews)