introduce support for storing capability databases in /etc/login.conf.d;

anytime a class is looked up, the /etc/login.conf.d/${class} file will be
checked first for a matching class definition; this will allow us to easily
add custom login classes from packages

ok millert@

diff --git a/etc/mtree/4.4BSD.dist b/etc/mtree/4.4BSD.dist
index bd70f8c..52fb14f 100644 (file)
--- a/etc/mtree/4.4BSD.dist
+++ b/etc/mtree/4.4BSD.dist
@@ -1,4 +1,4 @@
-#      $OpenBSD: 4.4BSD.dist,v 1.319 2021/10/23 19:40:29 deraadt Exp $
+#      $OpenBSD: 4.4BSD.dist,v 1.320 2022/02/10 13:06:07 robert Exp $
 
 /set type=dir uname=root gname=wheel mode=0755
 
@@ -78,6 +78,8 @@ etc
         certs                  mode=0700
         ..
     ..
+    login.conf.d               mode=0755
+    ..
     acme                       mode=0700
     ..
     mail

diff --git a/include/login_cap.h b/include/login_cap.h
index d9a4c2c..2af57a7 100644 (file)
--- a/include/login_cap.h
+++ b/include/login_cap.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: login_cap.h,v 1.17 2021/06/03 13:19:45 deraadt Exp $  */
+/*     $OpenBSD: login_cap.h,v 1.18 2022/02/10 13:06:07 robert Exp $   */
 
 /*-
  * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved.
@@ -42,6 +42,7 @@
 #define        LOGIN_DEFSERVICE        "login"
 #define        LOGIN_DEFUMASK          022
 #define        _PATH_LOGIN_CONF        "/etc/login.conf"
+#define        _PATH_LOGIN_CONF_D      "/etc/login.conf.d"
 #define        _PATH_AUTHPROGDIR       "/usr/libexec/auth"
 #define        _PATH_AUTHPROG          "/usr/libexec/auth/login_"
 

diff --git a/lib/libc/gen/login_cap.c b/lib/libc/gen/login_cap.c
index 862f33b..6793365 100644 (file)
--- a/lib/libc/gen/login_cap.c
+++ b/lib/libc/gen/login_cap.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: login_cap.c,v 1.40 2021/10/24 14:40:30 deraadt Exp $  */
+/*     $OpenBSD: login_cap.c,v 1.41 2022/02/10 13:06:07 robert Exp $   */
 
 /*
  * Copyright (c) 2000-2004 Todd C. Miller <millert@openbsd.org>
@@ -80,9 +80,10 @@ static       int gsetrl(login_cap_t *, int, char *, int);
 login_cap_t *
 login_getclass(char *class)
 {
-       char *classfiles[2] = {_PATH_LOGIN_CONF, NULL};
+       char *classfiles[] = { NULL, NULL, NULL };
+       char classpath[PATH_MAX];
        login_cap_t *lc;
-       int res;
+       int res, i = 0;
 
        if ((lc = calloc(1, sizeof(login_cap_t))) == NULL) {
                syslog(LOG_ERR, "%s:%d malloc: %m", __FILE__, __LINE__);
@@ -91,6 +92,15 @@ login_getclass(char *class)
 
        if (class == NULL || class[0] == '\0')
                class = LOGIN_DEFCLASS;
+       else {
+               res = snprintf(classpath, PATH_MAX, "%s/%s",
+                       _PATH_LOGIN_CONF_D, class);
+               if (res >= 0 && res < PATH_MAX)
+                       classfiles[i++] = classpath;
+       }
+
+       classfiles[i++] = _PATH_LOGIN_CONF;
+       classfiles[i] = NULL;
 
        if ((lc->lc_class = strdup(class)) == NULL) {
                syslog(LOG_ERR, "%s:%d strdup: %m", __FILE__, __LINE__);
@@ -106,7 +116,7 @@ login_getclass(char *class)
                                lc->lc_class);
                        break;
                case -1:
-                       if ((res = open(classfiles[0], O_RDONLY)) >= 0)
+                       if ((res = open(_PATH_LOGIN_CONF, O_RDONLY)) >= 0)
                                close(res);
                        if (strcmp(lc->lc_class, LOGIN_DEFCLASS) == 0 &&
                            res < 0)

diff --git a/share/man/man5/login.conf.5 b/share/man/man5/login.conf.5
index da935fa..745e27e 100644 (file)
--- a/share/man/man5/login.conf.5
+++ b/share/man/man5/login.conf.5
@@ -30,10 +30,10 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $OpenBSD: login.conf.5,v 1.67 2022/01/04 13:43:14 jmc Exp $
+.\" $OpenBSD: login.conf.5,v 1.68 2022/02/10 13:06:07 robert Exp $
 .\" BSDI $From: login.conf.5,v 2.20 2000/06/26 14:50:38 prb Exp $
 .\"
-.Dd $Mdocdate: January 4 2022 $
+.Dd $Mdocdate: February 10 2022 $
 .Dt LOGIN.CONF 5
 .Os
 .Sh NAME
@@ -60,6 +60,12 @@ in
 is used for any user without a valid login class in
 .Pa /etc/master.passwd .
 .Pp
+In case the
+.Pa /etc/login.conf.d/${ Ns Va class Ns }
+file exists, it will take precedence over the same login class
+defined in
+.Pa /etc/login.conf .
+.Pp
 Sites with very large
 .Pa /etc/login.conf
 files may wish to create a database version of the file,
@@ -79,7 +85,9 @@ Note that
 .Xr cap_mkdb 1
 must be run after each edit of
 .Pa /etc/login.conf
-to keep the database version in sync with the plain file.
+or the
+.Pa /etc/login.conf.d/${class}
+file to keep the database version in sync with the plain file.
 .Sh CAPABILITIES
 Refer to
 .Xr cgetent 3
@@ -916,6 +924,9 @@ option to login, respectively.
 .Bl -tag -width "/etc/login.conf"
 .It Pa /etc/login.conf
 Login class capability database.
+.It Pa /etc/login.conf.d/${ Ns Va class Ns }
+Login class capability database for the specified
+login class.
 .El
 .Sh SEE ALSO
 .Xr cap_mkdb 1 ,