login.conf

Login Class

Login classes allow you to control how many resources are allocated for each user. The limits can be edited in /etc/login.conf. For example, here is a login class created for network services:

service:\
	:openfiles-cur=4096:\
	:openfiles-max=8182:\
	:openfiles=4096:\
	:stacksize-cur=256M:\
	:stacksize-max=256M:\
	:maxproc-max=infinity:\
	:maxproc-cur=4096:\
	:tc=daemon:

WARNING: Use tabs and not spaces in login.conf. Spaces are not parsed correctly so that services will not get the file resources they need.

Each time a network service creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, the service will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.

The current and maximum stack size controls how much stack memory a user can use. We set it at 256M to give each service plenty of room.

maxproc limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. tc=daemon means that the default values will come from the daemon login class.

Now we will change username's default login class to service:

$ doas usermod -L service username

This can also be edited with a text editor using vipw.

To confirm that the login class has been changed, check /etc/master.passwd.

$ doas grep '^username' /etc/master.passwd
username:*:1001:1001:service:0:0:groupname:/home/username:/sbin/nologin

grep searches for the line that begins with username in /etc/master.passwd.

The 5th field should have the correct login class name:

$ doas grep '^username' /etc/master.passwd | cut -d : -f 5
service

NOTE: If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply:

To delete:

$ doas rm /etc/login.conf.db

To create the database:

$ doas cap_mkdb /etc/login.conf

Checking Limits

You should confirm the login class has been configured correctly using ulimit.

If necessary, you may need temporarily change the login shell to ksh:

$ doas chsh -s /bin/ksh username

Next, we login with the login class username:

$ doas su -c service username
$ ulimit -a
time(cpu-seconds)    unlimited
file(blocks)         unlimited
coredump(blocks)     unlimited
data(kbytes)         33554432
stack(kbytes)        32768
lockedmem(kbytes)    329478
memory(kbytes)       985092
nofiles(descriptors) 4096
processes            1310

ulimit -a displays all process limits for our current user.

WARNING: If limits are not what you expect, you may have an error in your configuration!

Press ctrl+d to signal the end of file to logout

Once done, you may need to restore the login shell:

$ doas chsh -s /path/to/original/shell username

Replace /path/to/original/shell with the original shell (it may be /sbin/nologin).

Troubleshooting

Suppose /etc/login.conf and /etc/login.conf.db are missing or deleted. You might see this error:

OpenBSD/amd64 (username.example.com) (tty00)

login: root
login: Failure to retrieve default class

The way to fix this is to reboot the system into single user mode as described in the OpenBSD FAQ.

Once you boot into single user mode, mount / and /usr partitions in read-write mode, set the correct terminal type, then edit login.conf:

# mount -rw /
# mount /usr
# export TERM=xterm
# vi /etc/login.conf

The default login.conf can be downloaded from CVSWeb, following the src -> etc -> etc.amd64 -> login.conf -> Revision 1.18 download link. Copy and paste this into /etc/login.conf, save, then quit.

If login.conf uses a database, recreate the database:

# cap_mkdb /etc/login.conf

Then reboot and login as usual:

# shutdown -r now