git: b627b8a0de - main - Status/2023Q3/login_classes.adoc: Add report

From: Lorenzo Salvadore <>
Date: Thu, 28 Sep 2023 13:27:51 UTC
The branch main has been updated by salvadore:


commit b627b8a0def61566ad3b9963a76e9be31f2d0ac3
Author:     Olivier Certner <>
AuthorDate: 2023-09-28 12:39:41 +0000
Commit:     Lorenzo Salvadore <>
CommitDate: 2023-09-28 12:42:21 +0000

    Status/2023Q3/login_classes.adoc: Add report
    Differential Revision:
 .../report-2023-07-2023-09/login_classes.adoc      | 37 ++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/website/content/en/status/report-2023-07-2023-09/login_classes.adoc b/website/content/en/status/report-2023-07-2023-09/login_classes.adoc
new file mode 100644
index 0000000000..d7158bcac7
--- /dev/null
+++ b/website/content/en/status/report-2023-07-2023-09/login_classes.adoc
@@ -0,0 +1,37 @@
+=== Login Classes Fixes and Improvements
+Links: +
+link:[Start of the reviews stack] URL: link:[]
+Contact: Olivier Certner <>
+==== Context
+Login classes are a mechanism mainly used to set various process properties and attributes at login, depending on the user logging in and the login class he is a member of.
+A login class typically specifies resource limits, environment variables and process properties such as scheduling priority and umask.
+See man:login.conf[5] for more information.
+==== Changes
+The `priority` and `umask` capabilities now accept the `inherit` special value to explicitly request property inheritance from the login process.
+This is useful, e.g.,  when temporarily logging in as another user from a process with a non-default priority to ensure that processes launched by this user still have the same priority level.
+Users can now override the global setting for the `priority` capability (in [.filename]#/etc/login.conf#) in their local configuration file ([.filename]#~/.login_conf#).
+Note however that they cannot increase their priority if they are not privileged, and that using `inherit` in this context makes no sense since the global setting is always applied first.
+- Fix a bug where, when the `priority` capability specifies a realtime priority, the final priority used was off-by-one (and the numerically highest priority in the real time class (31) could never be set).
+- Security: Prevent a setuid/setgid process from applying directives from some user's [.filename]#~/.login_conf# (directives there that cannot be applied because of a lack of privileges could suddenly become applicable in such a process).
+We have also updated the relevant manual pages to reflect the new functionality and improved the description of the `priority` and `umask` capabilities in man:login.conf[5].
+==== Status
+Some of the patches in the series have been reviewed thanks to[Konstantin Belousov] and[Warner Losh].
+Other patches are waiting for reviews (and reviewers, volunteers welcome!) which are not expected to be labored ones.
+We plan to improve consistency by deprecating the priority reset to 0 when no value for the capability `priority` is explicitly specified, which has been the case for `umask` for 15+ years.
+Sponsor: Kumacom SAS (for development work) +
+Sponsor: The FreeBSD Foundation (for some reviews)