> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-14-user-accounts-and-permissions/di-14.3-jie-yong-hu-fen-ji.md). # 14.3 User Classification **/etc/login.conf** is the login class capability database (first introduced in FreeBSD 2.1.5), used to control resource quotas, accounting quotas, and default user environment settings. This section introduces its file structure, class definition syntax, and user local override methods. ## Concepts and File Structure of login.conf Various programs in the system use this database to establish the user's login environment and enforce policies, accounting, and administrative restrictions. It also provides user authentication and configuration for available authentication types. ```sh / ├── etc/ │ └── login.conf # System-level user classification configuration file, defining resource limits, environment variables, etc. for various classes └── User home directory (~)/ └── .login_conf # User local override file, can override settings from /etc/login.conf ``` Regular users can override system-level configuration through the **\~/.login\_conf** file in their home directory, which contains only one entry with the record ID "me." However, only some login capabilities can be overridden, typically limited to environment settings not involving authentication, resource limits, and accounting; the system-level configuration file **/etc/login.conf** has lower priority than the user's local configuration. The `login.conf` file is located in the FreeBSD source code at [usr.bin/login/login.conf](https://github.com/freebsd/freebsd-src/blob/main/usr.bin/login/login.conf), which is the default configuration; the default settings disable resource quotas. > **Note** > > After each modification to this file, you must manually run `cap_mkdb /etc/login.conf` to refresh the database. `cap_mkdb` compiles the text-format login.conf into a hash database format to improve query performance. Modifications only take effect after the file is compiled into a database. The database file has a `.db` extension and can be called via functions such as cgetent(3). The user-level `~/.login_conf` also requires `cap_mkdb ~/.login_conf` to be compiled before it takes effect. ## Default Configuration File Interpretation ```ini # Please note that entries like "cputime" set both "cputime-cur" and "cputime-max" simultaneously. # The "default" login class is automatically applied (by login(1)) to all non-root users in /etc/master.passwd who do not have a valid login class set. # Please note that since the colon ':' is used to separate capability entries, literal colons embedded in capability values or names must use the \c escape sequence (see the "CGETNUM AND CGETSTR SYNTAX AND SEMANTICS" section of getcap(3) for more escape sequences). # Users with UID 0 (root) who do not have a valid login class use the root record (if available), otherwise use default. # default login class default:\ :passwd_format=sha512:\ # The encryption format used when creating or changing passwords. Type is string. Valid values are "des", "md5", "blf", "sha256", and "sha512"; see crypt(3) for details. NIS clients using non-FreeBSD NIS servers should typically use "des". :welcome=/var/run/motd:\ # Message displayed after login :setenv=BLOCKSIZE=K:\ # A comma-separated list of environment variables and their corresponding values. Values containing commas must be quoted. BLOCKSIZE=K makes commands display in KB size format :mail=/var/mail/$:\ # Set the environment variable $MAIL to the specified value. :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ # Default PATH environment variable path, where executable files are searched :nologin=/var/run/nologin:\ # If this file exists, it will be printed to the screen, and the corresponding user's login session will be terminated. :cputime=unlimited:\ # Limit the amount of CPU time a process can use. Type is time, default unit is seconds. Time values can be expressed using different units: y for years (365 days), w for weeks, d for days, h for hours, m for minutes, s for seconds. Units can be concatenated, and their values will be accumulated. For example, 2 hours 40 minutes can be written as 9600s, 160m, or 2h40m. :datasize=unlimited:\ # Limit the maximum size of the data segment (static memory allocation). Type is numeric, default unit is bytes. Common units include b, k, m, g, t, representing 512 bytes, KB, MB, GB, and TB respectively, case-insensitive. Multiple values can be concatenated, and their numeric values will be accumulated. For example, 2g512M represents a total size of 2.5 GB. :stacksize=unlimited:\ # Maximum stack size limit. Type is numeric. :memorylocked=64K:\ # Maximum core locked memory size limit. Type is numeric. :memoryuse=unlimited:\ # Maximum core memory usage limit. Type is numeric. :filesize=unlimited:\ # Limit the maximum size of files a process can create. Type is numeric. :coredumpsize=unlimited:\ # Maximum coredump size limit. Type is numeric. :openfiles=unlimited:\ # Limit the maximum number of files each process is allowed to open. Type is number. Number type can be hexadecimal (0x prefix) or octal (0 prefix), only one value can be specified at a time, or string format can be used. All records in the database must consistently use the same representation method. :maxproc=unlimited:\ # Limit the maximum number of processes. Type is number. :sbsize=unlimited:\ # Maximum socket buffer size. Type is numeric. :vmemoryuse=unlimited:\ # Maximum virtual memory usage allowed per process. Type is numeric. :swapuse=unlimited:\ # Maximum swap space size limit. Type is numeric. :pseudoterminals=unlimited:\ # Maximum number of pseudo-terminals. Type is number. :kqueues=unlimited:\ # Number of kqueues that can be created per process. Type is number. :umtxp=unlimited:\ # Maximum number of inter-process shared pthread locks. Type is number. :pipebuf=unlimited:\ # Maximum pipe buffer size. Type is number. :priority=0:\ # Initial process priority level. Type is number. Used to set the initial priority of a process: either the normal nice range (-20 to 20) or mapped to real-time or idle priority; if the special value "inherit" is set, it means inheriting the original priority without resetting. 0 represents normal priority. :umask=022:\ # Set the initial umask. Type is number, should start with 0 to ensure octal recognition. The special value "inherit" means keeping the original umask unchanged. 022 means file default permissions are 644, directory default permissions are 755. :charset=UTF-8:\ # Specify the value of the environment variable $MM_CHARSET (used by mail-related programs). Type is string. :lang=C.UTF-8: # Specify the value of the environment variable $LANG. Type is string. Modifying this achieves global i18n configuration for the entire operating system. # # A set of common class names, forwarding them all to 'default' (login usually does this too, but having class names here suppresses diagnostic messages). # standard:\ :tc=default: xuser:\ :tc=default: staff:\ :tc=default: # This PATH may be overridden by individual applications. In particular, rc(8), service(8), and cron(8) use the default PATH when starting services or tasks, which may not include /usr/local/sbin and /usr/local/bin. daemon:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\ :mail@:\ :memorylocked=128M:\ :tc=default: news:\ :tc=default: dialer:\ :tc=default: # # Let Root always be able to log in. # # Note that for the root account, login_getpwclass(3) (this software only, not a global setting) applies this entry instead of the parameters in 'default'. root:\ :ignorenologin:\ # Prevent nologin settings from blocking root login :memorylocked=unlimited:\ # Prevent memory quota limits from preventing root from allocating memory :tc=default: # Inherit attributes and capabilities from the parent class (default); child class entries with the same name can override parent class values # # Configure correct environment variables for Russian user accounts # # russian login class. Use the command pw usermod XXX -L russian to specify user XXX to use this login class. # russian|Russian Users Accounts:\ :charset=UTF-8:\ :lang=ru_RU.UTF-8:\ :tc=default: # Inherit attributes and capabilities from the parent class (default); child class entries with the same name can override parent class values ###################################################################### ###################################################################### ## ## Example entries ## ###################################################################### ###################################################################### ## Example defaults ## These settings are assigned by login(1) to unclassified users by default. Note that entries like "cputime" set both "cputime-cur" and "cputime-max" simultaneously. # #default:\ # :cputime=infinity:\ # :datasize-cur=22M:\ # :stacksize-cur=8M:\ # :memorylocked-cur=10M:\ # :memoryuse-cur=30M:\ # :filesize=infinity:\ # :coredumpsize=infinity:\ # :maxproc-cur=64:\ # :openfiles-cur=64:\ # :priority=0:\ # :requirehome@:\ # :umask=022:\ # :tc=auth-defaults: # # ## ## standard - Standard user defaults ## #standard:\ # :welcome=/var/run/motd:\ # :setenv=BLOCKSIZE=K:\ # :mail=/var/mail/$:\ # :path=~/bin /bin /usr/bin /usr/local/bin:\ # :manpath=/usr/share/man /usr/local/man:\ # :nologin=/var/run/nologin:\ # :cputime=1h30m:\ # :datasize=8M:\ # :vmemoryuse=100M:\ # :stacksize=2M:\ # :memorylocked=4M:\ # :memoryuse=8M:\ # :filesize=8M:\ # :coredumpsize=8M:\ # :openfiles=24:\ # :maxproc=32:\ # :priority=0:\ # :requirehome:\ # :passwordtime=90d:\ # :umask=002:\ # :tc=default: # # ## ## X users (need more resources!) ## #xuser:\ # :manpath=/usr/share/man /usr/local/man:\ # :cputime=4h:\ # :datasize=12M:\ # :vmemoryuse=infinity:\ # :stacksize=4M:\ # :filesize=8M:\ # :memoryuse=16M:\ # :openfiles=32:\ # :maxproc=48:\ # :tc=standard: # # ## ## Staff users, less restricted, can log in anytime ## #staff:\ # :ignorenologin:\ # :requirehome@:\ # :accounted@:\ # :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :umask=022:\ # :tc=standard: # # ## ## root - Alternative for root login ## #root:\ # :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :cputime=infinity:\ # :datasize=infinity:\ # :stacksize=infinity:\ # :memorylocked=infinity:\ # :memoryuse=infinity:\ # :filesize=infinity:\ # :coredumpsize=infinity:\ # :openfiles=infinity:\ # :maxproc=infinity:\ # :memoryuse-cur=32M:\ # :maxproc-cur=64:\ # :openfiles-cur=1024:\ # :priority=0:\ # :requirehome@:\ # :umask=022:\ # :tc=auth-root-defaults: # # ## ## Settings used by /etc/rc ## #daemon:\ # :coredumpsize@:\ # :coredumpsize-cur=0:\ # :datasize=infinity:\ # :datasize-cur@:\ # :maxproc=512:\ # :maxproc-cur@:\ # :memoryuse-cur=64M:\ # :memorylocked-cur=64M:\ # :openfiles=1024:\ # :openfiles-cur@:\ # :stacksize=16M:\ # :stacksize-cur@:\ # :tc=default: # # ## ## Settings used by the news subsystem ## #news:\ # :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :cputime=infinity:\ # :filesize=128M:\ # :datasize-cur=64M:\ # :stacksize-cur=32M:\ # :coredumpsize-cur=0:\ # :maxmemorysize-cur=128M:\ # :memorylocked=32M:\ # :maxproc=128:\ # :openfiles=256:\ # :tc=default: # # ## ## The dialer class should be used for dialup PPP accounts ## Welcome message/news is suppressed ## #dialer:\ # :hushlogin:\ # :requirehome@:\ # :cputime=unlimited:\ # :filesize=2M:\ # :datasize=2M:\ # :stacksize=4M:\ # :coredumpsize=0:\ # :memoryuse=4M:\ # :memorylocked=1M:\ # :maxproc=16:\ # :openfiles=32:\ # :tc=standard: # # ## ## dialer class, should be used for dialup PPP accounts ## Welcome message/news is suppressed ## #site:\ # :passwordtime@:\ # :refreshtime@:\ # :refreshperiod@:\ # :sessionlimit@:\ # :autodelete@:\ # :expireperiod@:\ # :graceexpire@:\ # :gracetime@:\ # :warnexpire@:\ # :warnpassword@:\ # :idletime@:\ # :sessiontime@:\ # :daytime@:\ # :weektime@:\ # :monthtime@:\ # :warntime@:\ # :accounted@:\ # :tc=dialer:\ # :tc=staff: # # ## ## Example standard accounting entry for subscription tiers ## # #subscriber|Subscribers:\ # :accounted:\ # :refreshtime=180d:\ # :refreshperiod@:\ # :sessionlimit@:\ # :autodelete=30d:\ # :expireperiod=180d:\ # :graceexpire=7d:\ # :gracetime=10m:\ # :warnexpire=7d:\ # :warnpassword=7d:\ # :idletime=30m:\ # :sessiontime=4h:\ # :daytime=6h:\ # :weektime=40h:\ # :monthtime=120h:\ # :warntime=4h:\ # :tc=standard: # # ## ## Subscription accounts. Login times for these accounts are recorded and access restrictions are applied. ## #subppp|PPP Subscriber Accounts:\ # :tc=dialer:\ # :tc=subscriber: # # #subshell|Shell Subscriber Accounts:\ # :tc=subscriber: # ## ## If you want some accounts to use traditional UNIX DES encrypted password hashes. ## #des_users:\ # :passwd_format=des:\ # :tc=default: ``` ## References * FreeBSD Project. login.conf(5)\[EB/OL]. \[2026-03-26]. . Login class capability database manual page. * FreeBSD Project. cgetent -- capability database access routines\[EB/OL]. \[2026-04-17]. . Capability database access routines manual page. ## Exercises 1. Modify the user's **\~/.login\_conf** file to override some settings from the system-level `login.conf`, record the priority relationship between the two configurations, and analyze the database search order of the `cgetent()` function. 2. Modify the `umask` and `passwd_format` settings of the default class, and compare the changes in new file permissions and password encryption methods before and after modification. 3. Create a custom login class with specific resource limits (such as `cputime` and `maxproc`), assign it to a test user and verify whether the limits take effect, and analyze the implementation mechanism of resource limits at the kernel level. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.bsdcn.org/ask/flat/chapter-14-user-accounts-and-permissions/di-14.3-jie-yong-hu-fen-ji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.