Hi,
Three questions below about login classes, on the themes of what's a
sensible way to work with them and how they relate to user privilege
escalation (not at all I hope).
WHAT I'M TRYING TO DO:
I am going to run some processes that have higher memory and file
descriptor quota requirements than the other processes that OpenBSD runs
otherwise.
I will have some designated user accounts for those processes to run in
(user accounts a, b and c, all non-root), so I can as well have the
quotas associated with those user accounts -
My idea is that OpenBSD's pre-installed services have optimal settings
already, so I shouldn't alter any of their settings, but instead, I
better associate my separate memory and descriptor quotas which are
especially designated for those particular activities that I am up to,
to those user accounts I designated for my activities (a, b, c).
(Also I like those users to have a particular default umask for all
files they create.)
QUESTION 1:
Looking for a "best practice" way of doing this, it is quite clear from
the documentation that I should attribute those special quotas to a
login class that I have and that is designated for my activities, and
then assign those users (a, b, c) to that login class.
I got it right, right?
QUESTION 2:
To understand the ramifications of the login class concept:
(As long as noone flips on the "wheel" option for any login class,) a
user's login class belonging *DOES NOT* imply any particular user
privileges of any kind, right?
And in particular, the "staff" login group does not imply any particular
significant privileges, right?
(I see that it has an ":ignorenologin" setting, that would be all. So no
particular OS call abilities, and no particular admin-like privileges.)
QUESTION 3:
Looking in /etc/master.passwd at what login class belonging present
users have,
* "root" belongs to the "daemon" login class,
* "_pbuild" belongs to the "pbuild" login class, "unbound" belongs to
the "unbound" login class,
* and all other users that are pre-setup at OS install time either
belong to the "daemon" login class or to no login class at all, which is
interpreted as belonging to the "default" login class.
This means we have one login class predefined by OpenBSD at installation
time namely the "staff" login class, which has no member users at OS
install time.
This means that I can use the "staff" login class for anything I want -
it's even proper to say that the "staff" login class is really well
suited for my use case as it already exists so why create a new one,
right?
So, all in all, do you think it makes sense for me to add the extra
memory and file descriptor quotas and umask rules to the "staff" login
class and attribute my users to it, or should I create a new login class
e.g. a class "high_resource_users"?
Thanks,
Tinker
