diff options
Diffstat (limited to 'lib/libutil')
| -rw-r--r-- | lib/libutil/login.conf.5 | 364 | ||||
| -rw-r--r-- | lib/libutil/login_auth.3 | 71 | ||||
| -rw-r--r-- | lib/libutil/login_ok.3 | 138 | ||||
| -rw-r--r-- | lib/libutil/login_times.3 | 155 |
4 files changed, 0 insertions, 728 deletions
diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5 deleted file mode 100644 index d56e94f599783..0000000000000 --- a/lib/libutil/login.conf.5 +++ /dev/null @@ -1,364 +0,0 @@ -.\" Copyright (c) 1996 David Nugent <davidn@blaze.net.au> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, is permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice immediately at the beginning of the file, without modification, -.\" this list of conditions, and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. This work was done expressly for inclusion into FreeBSD. Other use -.\" is permitted provided this notation is included. -.\" 4. Absolutely no warranty of function or purpose is made by the author -.\" David Nugent. -.\" 5. Modifications may be freely made to this file providing the above -.\" conditions are met. -.\" -.\" $Id$ -.\" -.Dd November 22, 1996 -.Dt LOGIN.CONF 5 -.Os FreeBSD -.Sh NAME -.Nm login.conf -.Nd login class capability database -.Sh SYNOPSIS -.Pa /etc/login.conf , -.Pa ~/.login_conf -.Sh DESCRIPTION -login.conf contains various attributes and capabilities of login classes. -A login class (an optional annotation against each record in the user -account database, -.Pa /etc/master.passwd ) -determines session accounting, resource limits and user environment settings. -It is used by various programs in the system to set up a user's login -environment and to enforce policy, accounting and administrative restrictions. -It also provides the means by which users are able to be -authenticated to the system and the types of authentication available. -.Pp -A special record "default" in the system user class capability database -.Pa /etc/login.conf -is used automatically for any -non-root user without a valid login class in -.Pa /etc/master.passwd . -A user with a uid of 0 without a valid login class will use the record -"root" if it exists, or "default" if not. -.Pp -In FreeBSD, users may individually create a file called -.Pa .login_conf -in their home directory using the same format, consisting of a single -entry with a record id of "me". -If present, this file is used by -.Xr login 1 -to set user-defined environment settings which override those specified -in the system login capabilities database. -Only a subset of login capabilities may be overridden, typically those -which do not involve authentication, resource limits and accounting. -.Pp -Records in a class capabilities database consist of a number of -colon-separated fields. -The first entry for each record gives one or more names that a record is -to be known by, each separated by a '|' character. -The first name is the most common abbreviation. -The last name given should be a long name that is more descriptive -of the capability entry, and all others are synonyms. -All names but the last should be in lower case and contain no blanks; -the last name may contain upper case characters and blanks for -readability. -.Pp -See -.Xr getcap 3 -for a more in-depth description of the format of a capability database. -.Sh CAPABILITIES -Fields within each record in the database follow the -.Xr getcap 3 -conventions for boolean, type string -.Ql \&= -and type numeric -.Ql \&# , -although type numeric is depreciated in favour of the string format and -either form is accepted for a numeric datum. -Values fall into the following categories: -.Bl -tag -width "program" -.It file -Path name to a data file -.It program -Path name to an executable file -.It list -A list of values (or pairs of values) separated by commas or spaces -.It path -A space or comma separated list of path names, following the usual csh -conventions (leading tilde with and without username being expanded to -home directories etc.) -.It number -A numeric value, either decimal (default), hexadecimal (with leading 0x), -or octal (with a leading 0). -With a numeric type, only one numeric value is allowed. -Numeric types may also be specified in string format (ie. the capability -tag being delimited from the value by '=' instead of '#'). -Whichever method is used, then all records in the database must use the -same method to allow values to be correctly overridden in interpolated -records. -.It size -A number which expresses a size. -The default interpretation of a value is the number of bytes, but a -suffix may specify alternate units: -.Bl -tag -offset indent -compact -width xxxx -.It b -explicitly selects 512-byte blocks -.It k -selects kilobytes (1024 bytes) -.It m -specifies a multiplier of 1 megabyte (1048576 bytes), -.It g -specifies units of gigabytes, and -.It t -represents terrabytes. -.El -A size value is a numeric quantity and case of the suffix is not significant. -Concatenated values are added together. -.It time -A period of time, by default in seconds. -A prefix may specify a different unit; -.Bl -tag -offset indent -compact -width xxxx -.It y -indicates the number of 365 day years, -.It w -indicates the number of weeks, -.It d -the number of days, -.It h -the number of minutes, and -.It s -the number of seconds. -.El -Concatenated values are added together. -For example, 2 hours and 40 minutes may be written either as -9600s, 160m or 2h40m. -.El -.Pp -The usual convention to interpolate capability entries using the special -.Em tc=value -notation may be used. -.Pp -.Sh RESOURCE LIMITS -.Bl -column coredumpsize indent indent -.Sy Name Type Notes Description -.It cputime time CPU usage limit. -.It filesize size Maximum file size limit. -.It datasize size Maximum data size limit. -.It stacksize size Maximum stack size limit. -.It coredumpsize size Maximum coredump size limit. -.It memoryuse size Maximum of core memory use size limit. -.It memorylocked size Maximum locked in core memory size limit. -.It maxproc number Maximum number of processes. -.It openfiles number Maximum number of open files per process. -.El -.Pp -These resource limit entries actually specify both the maximum -and current limits (see -.Xr getrlimit 2 ). -The current (soft) limit is the one normally used, although the user is permitted -to increase the current limit to the maximum (hard) limit. -The maximum and current limits may be specified individually by appending a --max or -cur to the capability name. -.Pp -.Sh ENVIRONMENT -.Bl -column ignorenologin indent xbinxxusrxbin -.Sy Name Type Notes Description -.It charset string Set $MM_CHARSET environment variable to the specified -value. -.It hushlogin bool false Same as having a ~/.hushlogin file. -.It ignorenologin bool false Login not prevented by nologin. -.It lang string Set $LANG environment variable to the specified value. -.It manpath path Default search path for manpages. -.It nologin file If the file exists it will be displayed and -the login session will be terminated. -.It path path /bin /usr/bin Default search path. -.It priority number Initial priority (nice) level. -.It requirehome bool false Require a valid home directory to login. -.It setenv list A comma-separated list of environment variables and -values to which they are to be set. -.It shell prog Session shell to execute rather than the -shell specified in the passwd file. The SHELL environment variable will -contain the shell specified in the password file. -.It term string su Default terminal type if not able to determine from -other means. -.It timezone string Default value of $TZ environment variable. -.It umask number 022 Initial umask. Should always have a leading 0 to -ensure octal interpretation. -.It welcome file /etc/motd File containing welcome message. -.El -.Pp -.Sh AUTHENTICATION -.Bl -column minpasswordlen indent indent -.Sy Name Type Notes Description -.It minpasswordlen number 6 The minimum length a local password may be. -.\" .It approve program Program to approve login. -.It auth list passwd Allowed authentication styles. The first value is the -default style. -.It auth-<type> list Allowed authentication styles for the -authentication type 'type'. -.It copyright file File containing additional copyright information -.\".It widepasswords bool false Use the wide password format. The wide password -.\" format allows up to 128 significant characters in the password. -.It host.allow list List of remote host wildcards from which users in -the class may access. -.It host.deny list List of remote host wildcards from which users in -the class may not access. -.It times.allow list List of time periods during which -logins are allowed. -.It times.deny list List of time periods during which logins are -disallowed. -.It tty.allow list List of ttys and ttygroups which users -in the class may use for access. -.It tty.deny list List of ttys and ttygroups which users -in the class may not use for access. -.El -.Pp -These fields are intended to be used by -.Xr passwd 1 -and other programs in the login authentication system. -.Pp -Capabilities that set environment variables are scanned for both -.Ql \&~ -and -.Ql \&$ -characters, which are substituted for a user's home directory and name -respectively. -To pass these characters literally into the environment variable, escape -the character by preceding it with a backslash '\\'. -.Pp -The -.Em host.allow -and -.Em host.deny -entries are comma separated lists used for checking remote access to the system, -and consist of a list of hostnames and/or IP addresses against which remote -network logins are checked. -Items in these lists may contain wildcards in the form used by shell programs -for wildcard matching (See -.Xr fnmatch 3 -for details on the implementation). -The check on hosts is made against both the remote system's Internet address -and hostname (if available). -If both lists are empty or not specified, then logins from any remote host -are allowed. -If host.allow contains one or more hosts, then only remote systems matching -any of the items in that list are allowed to log in. -If host.deny contains one or more hosts, then a login from any matching hosts -will be disallowed. -.Pp -The -.Em times.allow -and -.Em times.deny -entries consist of a comma-separated list of time periods during which the users -in a class are allowed to be logged in. -These are expressed as one or more day codes followed by a start and end times -expressed in 24 hour format, separated by a hyphen or dash. -For example, MoThSa0200-1300 translates to Monday, Thursday and Saturday between -the hours of 2 am and 1 p.m.. -If both of these time lists are empty, users in the class are allowed access at -any time. -If -.Em times.allow -is specified, then logins are only allowed during the periods given. -If -.Em times.deny -is specified, then logins are denied during the periods given, regardless of whether -one of the periods specified in -.Em times.allow -applies. -.Pp -Note that -.Xr login 1 -enforces only that the actual login falls within periods allowed by these entries. -Further enforcement over the life of a session requires a separate daemon to -monitor transitions from an allowed period to a non-allowed one. -.Pp -The -.Em tty.allow -and -.Em tty.deny -entries contain a comma-separated list of tty devices (without the /dev/ prefix) -that a user in a class may use to access the system, and/or a list of ttygroups -(See -.Xr getttyent 3 -and -.Xr ttys 5 -for information on ttygroups). -If neither entry exists, then the choice of login device used by the user is -unrestricted. -If only -.Em tty.allow -is specified, then the user is restricted only to ttys in the given -group or device list. -If only -.Em tty.deny -is specified, then the user is prevented from using the specified devices or -devices in the group. -If both lists are given and are non-empty, the user is restricted to those -devices allowed by tty.allow that are not available by tty.deny. -.Sh ACCOUNTING LIMITS -.Bl -column passwordperiod indent indent -.Sy Name Type Notes Description -.It accounted bool false Enable session time accounting for all users -in this class. -.It autodelete time Time after expiry when account is auto-deleted. -.It bootfull bool false Enable 'boot only if ttygroup is full' strategy -when terminating sessions. -.It daytime time Maximum login time per day. -.It expireperiod time Time for expiry allocation. -.It graceexpire time Grace days for expired account. -.It gracetime time Additional grace login time allowed. -.It host.accounted list List of remote host wildcards from which -login sessions will be accounted. -.It host.exempt list List of remote host wildcards from which -login session accounting is exempted. -.It idletime time Maximum idle time before logout. -.It monthtime time Maximum login time per month. -.It passwordtime time Time for password expiry. -.It refreshtime time New time allowed on account refresh. -.It refreshperiod str How often account time is refreshed. -.It sessiontime time Maximum login time per session. -.It sessionlimit number Maximum number of concurrent -login sessions on ttys in any group. -.It tty.accounted list List of ttys and ttygroups for which -login accounting is active. -.It tty.exempt list List of ttys and ttygroups for which login accounting -is exempt. -.It warnexpire time Advance notice for pending account expiry. -.It warnpassword time Advance notice for pending password expiry. -.It warntime time Advance notice for pending out-of-time. -.It weektime time Maximum login time per week. -.El -.Pp -These fields are used by the time accounting system, which regulates, -controls and records user login access. -.Pp -The -.Em ttys.accounted -and -.Em ttys.exempt -fields operate in a similar manner to -.Em ttys.allow -and -.Em ttys.deny -as explained -above. -Similarly with the -.Em host.accounted -and -.Em host.exempt -lists. -.Sh SEE ALSO -.Xr login 1 , -.Xr getcap 3 , -.Xr getttyent 3 , -.Xr login_cap 3 , -.Xr login_class 3 , -.Xr ttys 5 diff --git a/lib/libutil/login_auth.3 b/lib/libutil/login_auth.3 deleted file mode 100644 index 14a2a63fcf0f4..0000000000000 --- a/lib/libutil/login_auth.3 +++ /dev/null @@ -1,71 +0,0 @@ -.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, is permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice immediately at the beginning of the file, without modification, -.\" this list of conditions, and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. This work was done expressly for inclusion into FreeBSD. Other use -.\" is permitted provided this notation is included. -.\" 4. Absolutely no warranty of function or purpose is made by the author -.\" David Nugent. -.\" 5. Modifications may be freely made to this file providing the above -.\" conditions are met. -.\" -.\" $Id$ -.\" -.Dd December 29, 1996 -.Os FreeBSD -.Dt LOGIN_AUTH 3 -.Sh NAME -.Nm authenticate -.Nm auth_script -.Nm auth_env -.Nm auth_scan -.Nm auth_rmfiles -.Nm auth_checknologin -.Nm auth_cat -.Nm auth_ttyok -.Nm auth_hostok -.Nm auth_timesok -.Nd Authentication style support library for login class capabilities database. -.Sh SYNOPSIS -.Fd #include <sys/types.h> -.Fd #include <login_cap.h> -.Ft int -.Fn authenticate "const char *name" "const char *classname" "const char *style" "const char *service" -.Ft int -.Fn auth_script "const char * path" ... -.Ft int -.Fn auth_env "void" -.Ft int -.Fn auth_scan "int ok" -.Ft int -.Fn auth_rmfiles "void" -.Ft int -.Fn auth_checknologin "login_cap_t *lc" -.Ft int -.Fn auth_cat "const char *file" -.Ft int -.Fn auth_ttyok "login_cap_t *lc" "const char *tty" -.Ft int -.Fn auth_hostok "login_cap_t *lc" "const char *hostname" "char const *ip" -.Ft int -.Fn auth_timesok "login_cap_t *lc" "time_t now" -.Sh DESCRIPTION -This set of functions support the login class authorisation style interface provided -by -.Xr login.conf 5 . - -.Sh RETURN VALUES -.Sh SEE ALSO -.Xr getcap 3 , -.Xr login_cap 3 , -.Xr login_class 3 , -.Xr login.conf 5 , -.Xr termcap 5 diff --git a/lib/libutil/login_ok.3 b/lib/libutil/login_ok.3 deleted file mode 100644 index f90710f56ad70..0000000000000 --- a/lib/libutil/login_ok.3 +++ /dev/null @@ -1,138 +0,0 @@ -.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, is permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice immediately at the beginning of the file, without modification, -.\" this list of conditions, and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. This work was done expressly for inclusion into FreeBSD. Other use -.\" is permitted provided this notation is included. -.\" 4. Absolutely no warranty of function or purpose is made by the author -.\" David Nugent. -.\" 5. Modifications may be freely made to this file providing the above -.\" conditions are met. -.\" -.\" $Id$ -.\" -.Dd January 2, 1997 -.Os FreeBSD -.Dt LOGIN_OK 3 -.Sh NAME -.Nm auth_ttyok -.Nm auth_hostok -.Nm auth_timeok -.Nd Functions for checking login class based login restrictions -.Sh SYNOPSIS -.Fd #include <sys/types.h> -.Fd #include <time.h> -.Fd #include <login_cap.h> -.Ft int -.Fn auth_ttyok "login_cap_t *lc" "const char *tty" -.Ft int -.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip" -.Ft int -.Fn auth_timeok "login_cap_t *lc" "time_t t" -.Sh DESCRIPTION -This set of functions checks to see if login is allowed based on login -class capability entries in the login database, -.Xr login.conf 5 . -.Pp -.Fn auth_ttyok -checks to see if the named tty is available to users of a specific -class, and is either in the -.Em ttys.allow -access list, and not in -the -.Em ttys.deny -access list. -An empty -.Em ttys.allow -list (or if no such capability exists for -the give login class) logins via any tty device are allowed unless -the -.Em ttys.deny -list exists and is non-empty, and the device or its -tty group (see -.Xr ttys 5 ) -is not in the list. -Access to ttys may be allowed or restricted specifically by tty device -name, a device name which includes a wildcard (e.g. ttyD* or cuaD*), -or may name a ttygroup, when group=<name> tags have been assigned in -.Pa /etc/ttys . -Matching of ttys and ttygroups is case sensitive. -Passing a -.Dv NULL -or empty string as the -.Ar tty -parameter causes the function to return a non-zero value. -.Pp -.Fn auth_hostok -checks for any host restrictions for remote logins. -The function checks on both a host name and IP address (given in its -text form, typically n.n.n.n) against the -.Em host.allow -and -.Em host.deny -login class capabilities. -As with ttys and their groups, wildcards and character classes may be -used in the host allow and deny capability records. -The -.Xr fnmatch 3 -function is used for matching, and the matching on hostnames is case -insensitive. -Note that this function expects that the hostname is fully expanded -(i.e. the local domain name added if necessary) and the IP address -is in its canonical form. -No hostname or address lookups are attempted. -.Pp -It is possible to call this function with either the hostname or -the IP address missing (i.e. -.Dv NULL ) -and matching will be performed -only on the basis of the parameter given. -Passing -.Dv NULL -or empty strings in both parameters will result in -a non-zero return value. -.Pp -The -.Fn auth_timeok -function checks to see that a given time value is within the -.Em times.allow -login class capability and not within the -.Em times.deny -access lists. -An empty or non-existent -.Em times.allow -list allows access at any -time, except if a given time is falls within a period in the -.Em times.deny -list. -The format of time period records contained in both -.Em times.allow -and -.Em times.deny -capability fields is explained in detail in the -.Xr login_times 3 -manual page. -.Sh RETURN VALUES -A non-zero return value from any of these functions indicates that -login access is granted. -A zero return value means either that the item being tested is not -in the -.Em allow -access list, or is within the -.Em deny -access list. -.Sh SEE ALSO -.Xr getcap 3 , -.Xr login_cap 3 , -.Xr login_class 3 , -.Xr login_times 3 , -.Xr login.conf 5 , -.Xr termcap 5 diff --git a/lib/libutil/login_times.3 b/lib/libutil/login_times.3 deleted file mode 100644 index e2e7a3f885034..0000000000000 --- a/lib/libutil/login_times.3 +++ /dev/null @@ -1,155 +0,0 @@ -.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, is permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice immediately at the beginning of the file, without modification, -.\" this list of conditions, and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. This work was done expressly for inclusion into FreeBSD. Other use -.\" is permitted provided this notation is included. -.\" 4. Absolutely no warranty of function or purpose is made by the author -.\" David Nugent. -.\" 5. Modifications may be freely made to this file providing the above -.\" conditions are met. -.\" -.\" $Id$ -.\" -.Dd January 2, 1997 -.Os FreeBSD -.Dt LOGIN_TIMES 3 -.Sh NAME -.Nm parse_lt -.Nm in_ltm -.Nm in_ltms -.Nd Functions for parsing and checking login time periods -.Sh SYNOPSIS -.Fd #include <sys/types.h> -.Fd #include <time.h> -.Fd #include <login_cap.h> -.Ft login_time_t -.Fn parse_lt "const char *str" -.Ft int -.Fn in_ltm "const login_time_t *lt" "struct tm *t" "time_t *ends" -.Ft int -.Fn in_ltms "const login_time_t *lt" "struct tm *t" "time_t *ends" -.Sh DESCRIPTION -This set of functions may be used for parsing and checking login and -session times against a predefined list of allowed login times as -used in -.Xr login.conf 5 . -.Pp -The format of allowed and disallowed session times specified in the -.Ar times.allow -and -.Ar times.deny -capability fields in a login class are comprised of a prefix which -specifies one or more 2- or 3-character day codes, followed by -a start and end time in 24 hour format separated by a hyphen. -Day codes may be concatenated together to select specific days, or -the special mnemonics "Any" and "All" (for any/all days of the week), -"Wk" for any day of the week (excluding Saturdays and Sundays) and -"Wd" for any weekend day may be used. -.Pp -For example, the following time period: -.Dl MoThFrSa1400-2200 -is interpreted as Monday, Thursday through Saturday between the hours -of 2pm and 10pm. -.Dl Wd0600-1800 -means Saturday and Sunday, between the hours of 6am through 6pm, and -.Dl Any0400-1600 -means any day of the week, between 4am and 4pm. -.Pp -Note that all time periods reference system local time. -.Pp -The -.Fn parse_lt -function converts the ascii representation of a time period into -a structure of type -.Ft login_time_t . -This is defined as: -.Bd -literal -typedef struct login_time -{ - u_short lt_start; /* Start time */ - u_short lt_end; /* End time */ - u_char lt_dow; /* Days of week */ -} login_time_t; -.Ed -.Pp -The -.Ar lt_start -and -.Ar lt_end -fields contain the number of minutes past midnight at which the -described period begins and ends. -The -.Ar lt_dow -field is a bit field, containing one bit for each day of the week -and one bit unused. -A series -.Em LTM_* -macros may be used for testing bits individually and in combination. -If no bits are set in this field - ie. it contains the value -.Em LTM_NONE - -then the entire period is assumed invalid. -This is used as a convention to mark the termination of an array -of login_time_t values. -If -.Fn parse_lt -returns a -.Ar login_time_t -with -.Ar lt_dow -equal to -.Em LTM_NONE -then a parsing error was encountered. -.Pp -The remaining functions provide the ability to test a given time_t or -struct tm value against a specific time period or array of time -periods. -.Fn in_ltm -determines whether the given time described by the struct tm -passed as the second parameter falls within the period described -by the first parameter. -A boolean value is returned, indicating whether or not the time -specified falls within the period. -If the time does fall within the time period, and the third -parameter to the function is not NULL, the time at which the -period ends relative to the time passed is returned. -.Pp -The -.Fn in_ltms -function is similar to -.Fn in_ltm -except that the first parameter must be a pointer to an array -of login_time_t objects, which is up to LC_MAXTIMES (64) -elements in length, and terminated by an element with its -.Ar lt_dow -field set to -.Em LTM_NONE. -.Sh RETURN VALUES -.Fn parse_lt -returns a filled in structure of type login_time_t containing the -parsed time period. -If a parsing error occurs, the lt_dow field is set to -.Em LTM_NONE -(i.e. 0). -.Pp -.Fn in_ltm -returns non-zero if the given time falls within the period described -by the login_time_t passed as the first parameter. -.Pp -.Fn in_ltms -returns the index of the first time period found in which the given -time falls, or -1 if none of them apply. -.Sh SEE ALSO -.Xr getcap 3 , -.Xr login_cap 3 , -.Xr login_class 3 , -.Xr login.conf 5 , -.Xr termcap 5 |