From: robert Date: Thu, 10 Feb 2022 13:06:07 +0000 (+0000) Subject: introduce support for storing capability databases in /etc/login.conf.d; X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d7bd1adbda023adc34b649ad42aaa623c0f51be4;p=openbsd introduce support for storing capability databases in /etc/login.conf.d; anytime a class is looked up, the /etc/login.conf.d/${class} file will be checked first for a matching class definition; this will allow us to easily add custom login classes from packages ok millert@ --- diff --git a/etc/mtree/4.4BSD.dist b/etc/mtree/4.4BSD.dist index bd70f8c4a57..52fb14f67fe 100644 --- a/etc/mtree/4.4BSD.dist +++ b/etc/mtree/4.4BSD.dist @@ -1,4 +1,4 @@ -# $OpenBSD: 4.4BSD.dist,v 1.319 2021/10/23 19:40:29 deraadt Exp $ +# $OpenBSD: 4.4BSD.dist,v 1.320 2022/02/10 13:06:07 robert Exp $ /set type=dir uname=root gname=wheel mode=0755 @@ -78,6 +78,8 @@ etc certs mode=0700 .. .. + login.conf.d mode=0755 + .. acme mode=0700 .. mail diff --git a/include/login_cap.h b/include/login_cap.h index d9a4c2c349c..2af57a72c4b 100644 --- a/include/login_cap.h +++ b/include/login_cap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: login_cap.h,v 1.17 2021/06/03 13:19:45 deraadt Exp $ */ +/* $OpenBSD: login_cap.h,v 1.18 2022/02/10 13:06:07 robert Exp $ */ /*- * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved. @@ -42,6 +42,7 @@ #define LOGIN_DEFSERVICE "login" #define LOGIN_DEFUMASK 022 #define _PATH_LOGIN_CONF "/etc/login.conf" +#define _PATH_LOGIN_CONF_D "/etc/login.conf.d" #define _PATH_AUTHPROGDIR "/usr/libexec/auth" #define _PATH_AUTHPROG "/usr/libexec/auth/login_" diff --git a/lib/libc/gen/login_cap.c b/lib/libc/gen/login_cap.c index 862f33b2065..67933653349 100644 --- a/lib/libc/gen/login_cap.c +++ b/lib/libc/gen/login_cap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_cap.c,v 1.40 2021/10/24 14:40:30 deraadt Exp $ */ +/* $OpenBSD: login_cap.c,v 1.41 2022/02/10 13:06:07 robert Exp $ */ /* * Copyright (c) 2000-2004 Todd C. Miller @@ -80,9 +80,10 @@ static int gsetrl(login_cap_t *, int, char *, int); login_cap_t * login_getclass(char *class) { - char *classfiles[2] = {_PATH_LOGIN_CONF, NULL}; + char *classfiles[] = { NULL, NULL, NULL }; + char classpath[PATH_MAX]; login_cap_t *lc; - int res; + int res, i = 0; if ((lc = calloc(1, sizeof(login_cap_t))) == NULL) { syslog(LOG_ERR, "%s:%d malloc: %m", __FILE__, __LINE__); @@ -91,6 +92,15 @@ login_getclass(char *class) if (class == NULL || class[0] == '\0') class = LOGIN_DEFCLASS; + else { + res = snprintf(classpath, PATH_MAX, "%s/%s", + _PATH_LOGIN_CONF_D, class); + if (res >= 0 && res < PATH_MAX) + classfiles[i++] = classpath; + } + + classfiles[i++] = _PATH_LOGIN_CONF; + classfiles[i] = NULL; if ((lc->lc_class = strdup(class)) == NULL) { syslog(LOG_ERR, "%s:%d strdup: %m", __FILE__, __LINE__); @@ -106,7 +116,7 @@ login_getclass(char *class) lc->lc_class); break; case -1: - if ((res = open(classfiles[0], O_RDONLY)) >= 0) + if ((res = open(_PATH_LOGIN_CONF, O_RDONLY)) >= 0) close(res); if (strcmp(lc->lc_class, LOGIN_DEFCLASS) == 0 && res < 0) diff --git a/share/man/man5/login.conf.5 b/share/man/man5/login.conf.5 index da935fa223e..745e27ee121 100644 --- a/share/man/man5/login.conf.5 +++ b/share/man/man5/login.conf.5 @@ -30,10 +30,10 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $OpenBSD: login.conf.5,v 1.67 2022/01/04 13:43:14 jmc Exp $ +.\" $OpenBSD: login.conf.5,v 1.68 2022/02/10 13:06:07 robert Exp $ .\" BSDI $From: login.conf.5,v 2.20 2000/06/26 14:50:38 prb Exp $ .\" -.Dd $Mdocdate: January 4 2022 $ +.Dd $Mdocdate: February 10 2022 $ .Dt LOGIN.CONF 5 .Os .Sh NAME @@ -60,6 +60,12 @@ in is used for any user without a valid login class in .Pa /etc/master.passwd . .Pp +In case the +.Pa /etc/login.conf.d/${ Ns Va class Ns } +file exists, it will take precedence over the same login class +defined in +.Pa /etc/login.conf . +.Pp Sites with very large .Pa /etc/login.conf files may wish to create a database version of the file, @@ -79,7 +85,9 @@ Note that .Xr cap_mkdb 1 must be run after each edit of .Pa /etc/login.conf -to keep the database version in sync with the plain file. +or the +.Pa /etc/login.conf.d/${class} +file to keep the database version in sync with the plain file. .Sh CAPABILITIES Refer to .Xr cgetent 3 @@ -916,6 +924,9 @@ option to login, respectively. .Bl -tag -width "/etc/login.conf" .It Pa /etc/login.conf Login class capability database. +.It Pa /etc/login.conf.d/${ Ns Va class Ns } +Login class capability database for the specified +login class. .El .Sh SEE ALSO .Xr cap_mkdb 1 ,