login.conf
Login Class
Login classes allow you to control how many resources are allocated for each user. The limits can be edited in /etc/login.conf. For example, here is a login class created for network services:
service:\
:openfiles-cur=4096:\
:openfiles-max=8182:\
:openfiles=4096:\
:stacksize-cur=48M:\
:stacksize-max=48M:\
:maxproc-max=infinity:\
:maxproc-cur=4096:\
:tc=daemon:
WARNING: Use tabs and not spaces in login.conf. Spaces are not parsed correctly so that services will not get the file resources they need.
Each time a network service creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, the service will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.
The current and maximum stack size controls how much stack memory a user can use. We set it at 48M to give each service plenty of room.
maxproc
limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. tc=daemon
means that the default values will come from the daemon
login class.
Now we will change username
's default login class to service
:
$ doas usermod -L service username
This can also be edited with a text editor using vipw.
To confirm that the login class has been changed, check /etc/master.passwd.
$ doas grep '^username' /etc/master.passwd
username:*:1001:1001:service:0:0:groupname:/home/username:/sbin/nologin
grep searches for the line that begins with username
in /etc/master.passwd.
The 5th field should have the correct login class name:
$ doas grep '^username' /etc/master.passwd | cut -d : -f 5
service
NOTE: If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply:
To delete:
$ doas rm /etc/login.conf.db
To create the database:
$ doas cap_mkdb /etc/login.conf
Checking Limits
You should confirm the login class has been configured correctly using ulimit.
If necessary, you may need temporarily change the login shell to ksh:
$ doas chsh -s /bin/ksh username
Next, we login with the login class username:
$ doas su -c service username
$ ulimit -a
time(cpu-seconds) unlimited
file(blocks) unlimited
coredump(blocks) unlimited
data(kbytes) 33554432
stack(kbytes) 32768
lockedmem(kbytes) 329478
memory(kbytes) 985092
nofiles(descriptors) 4096
processes 1310
ulimit -a
displays all process limits for our current user.
WARNING: If limits are not what you expect, you may have an error in your configuration!
Press ctrl+d to signal the end of file to logout
Once done, you may need to restore the login shell:
$ doas chsh -s /path/to/original/shell ngircd
Replace /path/to/original/shell
with the original shell (it may be /sbin/nologin
).
Troubleshooting
Suppose /etc/login.conf and /etc/login.conf.db are missing or deleted. You might see this error:
OpenBSD/amd64 (username.example.com) (tty00)
login: root
login: Failure to retrieve default class
The way to fix this is to reboot the system into single user mode as described in the OpenBSD FAQ.
Once you boot into single user mode, mount / and /usr partitions in read-write mode, set the correct terminal type, then edit login.conf:
# mount -rw /
# mount /usr
# export TERM=xterm
# vi /etc/login.conf
The default login.conf can be downloaded from CVSWeb, following the src -> etc -> etc.amd64 -> login.conf -> Revision 1.18 download link. Copy and paste this into /etc/login.conf, save, then quit.
If login.conf uses a database, recreate the database:
# cap_mkdb /etc/login.conf
Then reboot and login as usual:
# shutdown -r now