On 2023/04/21 20:23, Juan Picca wrote: > But maybe a less surprise config for /etc/login.conf can be: > > --- /etc/login.conf.orig > +++ /etc/login.conf > @@ -58,6 +58,7 @@ > # Be sure to reset these values to system defaults in the default class! > # > daemon:\ > + :umask=022:\ > :ignorenologin:\ > :datasize=4096M:\ > :maxproc=infinity:\ > > > With this umask from the default class can change without affecting the > daemon class.
Still a bit risky, you might have other users that don't inherit from the daemon class which will have problems with a restrictive mask. I'd suggest targetting the umask setting, either by giving all users class 'staff' or adding a new one which inherits from default. > Do the usage of openfiles-max currently follows the same idea? That goes with a restriction which we want to have in the default login.conf anyway - not so much the case for umask I think. > Funny fact: by mistake I do > > --- /etc/login.conf.orig > +++ /etc/login.conf > @@ -57,6 +57,7 @@ > # This must be set properly for daemons started as root by inetd as well. > # Be sure to reset these values to system defaults in the default class! > # > +#:umask=022:\ > daemon:\ > :ignorenologin:\ > :datasize=4096M:\ > > > And after that I couldn't use doas anymore to correct the file > > $ doas -s > doas: failed to set user context for target This is a sensitive file. Keep a root shell open when modifying and don't close it until tested, there are various ways to break the format. Be happy you didn't push this to (iirc) a dozen machines in 4 locations across the country with a config management tool :) > Do you accept patches to avoid the interpretation of the last \ > (backslash) as a line continuation in a comment? I would object to such a diff. If somebody has written a file like that on purpose, that will break their machine on upgrade.
