login.conf
Login Class
Login classes allow you to control how many resources are allocated for each user. The limits can be edited in /etc/login.conf. For example, suppose we add this login class at the bottom of login.conf for network services:
# tail /etc/login.conf service:\ :openfiles-cur=4096:\ :openfiles-max=8182:\ :openfiles=4096:\ :stacksize-cur=256M:\ :stacksize-max=256M:\ :maxproc-max=infinity:\ :maxproc-cur=4096:\ :tc=daemon:
WARNING: Use tabs and not spaces in login.conf. Spaces are not parsed correctly so that services will not get the file resources they need.
Each time a network service creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, the service will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.
The current and maximum stack size controls how much stack memory a user can use. We set it at 256M to give each service plenty of room.
maxproc limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. tc=daemon means that the default values will come from the daemon login class.
Now we will change $USER's default login class to service:
$ doas usermod -L service $USER
Note: Make sure to replace $USER with the actual username.
This can also be edited with a text editor using vipw.
To confirm that the login class has been changed, check /etc/master.passwd.
$ doas grep "^$USER" /etc/master.passwd username:*:1001:1001:service:0:0:groupname:/home/username:/sbin/nologin
grep searches for the line that begins with $USER in /etc/master.passwd.
The 5th field should have the correct login class name:
$ doas grep "^$USER" /etc/master.passwd | cut -d : -f 5 service
NOTE: If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply:
To delete:
$ doas rm /etc/login.conf.db
To create the database:
$ doas cap_mkdb /etc/login.conf
Checking Limits
You should confirm the login class has been configured correctly using ulimit.
If necessary, you may need temporarily change the login shell to ksh:
$ doas chsh -s /bin/ksh $USER
Next, we login with the login class $USER:
$ doas su -c service $USER $ ulimit -a time(cpu-seconds) unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 33554432 stack(kbytes) 32768 lockedmem(kbytes) 329478 memory(kbytes) 985092 nofiles(descriptors) 4096 processes 1310
ulimit -a displays all process limits for our current user.
WARNING: If limits are not what you expect, you may have an error in your configuration!
Press ctrl+d to signal the end of file to logout
Once done, you may need to restore the login shell:
$ doas chsh -s /path/to/original/shell $USER
Replace /path/to/original/shell with the original shell (it may be /sbin/nologin).
Troubleshooting
Suppose /etc/login.conf and /etc/login.conf.db are missing or deleted. You might see this error:
OpenBSD/amd64 (username.example.com) (tty00) login: root login: Failure to retrieve default class
The way to fix this is to reboot the system into single user mode as described in the OpenBSD FAQ.
Once you boot into single user mode, mount / and /usr partitions in read-write mode, set the correct terminal type, then edit login.conf:
# mount -rw / # mount /usr # export TERM=xterm # vi /etc/login.conf
The default login.conf can be downloaded from CVSWeb, following the src -> etc -> etc.amd64 -> login.conf -> Revision 1.18 download link. Copy and paste this into /etc/login.conf, save, then quit.
If login.conf uses a database, recreate the database:
# cap_mkdb /etc/login.conf
Then reboot and login as usual:
# shutdown -r now