Login classes allow you to control how many resources are allocated for each user. The limits can be edited in /etc/login.conf. For example, here is a login class created for network services:
service:\ :openfiles-cur=4096:\ :openfiles-max=8182:\ :openfiles=4096:\ :stacksize-cur=256M:\ :stacksize-max=256M:\ :maxproc-max=infinity:\ :maxproc-cur=4096:\ :tc=daemon:
WARNING: Use tabs and not spaces in login.conf. Spaces are not parsed correctly so that services will not get the file resources they need.
Each time a network service creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, the service will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.
The current and maximum stack size controls how much stack memory a user can use. We set it at 256M to give each service plenty of room.
maxproc limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096.
tc=daemon means that the default values will come from the
daemon login class.
Now we will change
username's default login class to
$ doas usermod -L service username
This can also be edited with a text editor using vipw.
To confirm that the login class has been changed, check /etc/master.passwd.
$ doas grep '^username' /etc/master.passwd username:*:1001:1001:service:0:0:groupname:/home/username:/sbin/nologin
The 5th field should have the correct login class name:
$ doas grep '^username' /etc/master.passwd | cut -d : -f 5 service
NOTE: If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply:
$ doas rm /etc/login.conf.db
To create the database:
$ doas cap_mkdb /etc/login.conf
You should confirm the login class has been configured correctly using ulimit.
If necessary, you may need temporarily change the login shell to ksh:
$ doas chsh -s /bin/ksh username
Next, we login with the login class username:
$ doas su -c service username $ ulimit -a time(cpu-seconds) unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 33554432 stack(kbytes) 32768 lockedmem(kbytes) 329478 memory(kbytes) 985092 nofiles(descriptors) 4096 processes 1310
ulimit -a displays all process limits for our current user.
WARNING: If limits are not what you expect, you may have an error in your configuration!
Press ctrl+d to signal the end of file to logout
Once done, you may need to restore the login shell:
$ doas chsh -s /path/to/original/shell ngircd
/path/to/original/shell with the original shell (it may be
Suppose /etc/login.conf and /etc/login.conf.db are missing or deleted. You might see this error:
OpenBSD/amd64 (username.example.com) (tty00) login: root login: Failure to retrieve default class
# mount -rw / # mount /usr # export TERM=xterm # vi /etc/login.conf
If login.conf uses a database, recreate the database:
# cap_mkdb /etc/login.conf
Then reboot and login as usual:
# shutdown -r now