introduce support for storing capability databases in /etc/login.conf.d;

anytime a class is looked up, the /etc/login.conf.d/${class} file will be
checked first for a matching class definition; this will allow us to easily
add custom login classes from packages

ok millert@

etc/mtree/4.4BSD.dist

@@ -1,4 +1,4 @@
-#	$OpenBSD: 4.4BSD.dist,v 1.319 2021/10/23 19:40:29 deraadt Exp $
+#	$OpenBSD: 4.4BSD.dist,v 1.320 2022/02/10 13:06:07 robert Exp $
 
 /set type=dir uname=root gname=wheel mode=0755
 
@@ -78,6 +78,8 @@ etc
         certs			mode=0700
         ..
     ..
+    login.conf.d		mode=0755
+    ..
     acme			mode=0700
     ..
     mail

include/login_cap.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: login_cap.h,v 1.17 2021/06/03 13:19:45 deraadt Exp $	*/
+/*	$OpenBSD: login_cap.h,v 1.18 2022/02/10 13:06:07 robert Exp $	*/
 
 /*-
  * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved.
@@ -42,6 +42,7 @@
 #define	LOGIN_DEFSERVICE	"login"
 #define	LOGIN_DEFUMASK		022
 #define	_PATH_LOGIN_CONF	"/etc/login.conf"
+#define	_PATH_LOGIN_CONF_D	"/etc/login.conf.d"
 #define	_PATH_AUTHPROGDIR	"/usr/libexec/auth"
 #define	_PATH_AUTHPROG		"/usr/libexec/auth/login_"
 

lib/libc/gen/login_cap.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: login_cap.c,v 1.40 2021/10/24 14:40:30 deraadt Exp $	*/
+/*	$OpenBSD: login_cap.c,v 1.41 2022/02/10 13:06:07 robert Exp $	*/
 
 /*
  * Copyright (c) 2000-2004 Todd C. Miller <millert@openbsd.org>
@@ -80,9 +80,10 @@ static	int gsetrl(login_cap_t *, int, char *, int);
 login_cap_t *
 login_getclass(char *class)
 {
-	char *classfiles[2] = {_PATH_LOGIN_CONF, NULL};
+	char *classfiles[] = { NULL, NULL, NULL };
+	char classpath[PATH_MAX];
 	login_cap_t *lc;
-	int res;
+	int res, i = 0;
 
 	if ((lc = calloc(1, sizeof(login_cap_t))) == NULL) {
 		syslog(LOG_ERR, "%s:%d malloc: %m", __FILE__, __LINE__);
@@ -91,6 +92,15 @@ login_getclass(char *class)
 
 	if (class == NULL || class[0] == '\0')
 		class = LOGIN_DEFCLASS;
+	else {
+		res = snprintf(classpath, PATH_MAX, "%s/%s",
+			_PATH_LOGIN_CONF_D, class);
+		if (res >= 0 && res < PATH_MAX)
+			classfiles[i++] = classpath;
+	}
+
+	classfiles[i++] = _PATH_LOGIN_CONF;
+	classfiles[i] = NULL;
 
     	if ((lc->lc_class = strdup(class)) == NULL) {
 		syslog(LOG_ERR, "%s:%d strdup: %m", __FILE__, __LINE__);
@@ -106,7 +116,7 @@ login_getclass(char *class)
 				lc->lc_class);
 			break;
 		case -1:
-			if ((res = open(classfiles[0], O_RDONLY)) >= 0)
+			if ((res = open(_PATH_LOGIN_CONF, O_RDONLY)) >= 0)
 				close(res);
 			if (strcmp(lc->lc_class, LOGIN_DEFCLASS) == 0 &&
 			    res < 0)

share/man/man5/login.conf.5

@@ -30,10 +30,10 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $OpenBSD: login.conf.5,v 1.67 2022/01/04 13:43:14 jmc Exp $
+.\" $OpenBSD: login.conf.5,v 1.68 2022/02/10 13:06:07 robert Exp $
 .\" BSDI $From: login.conf.5,v 2.20 2000/06/26 14:50:38 prb Exp $
 .\"
-.Dd $Mdocdate: January 4 2022 $
+.Dd $Mdocdate: February 10 2022 $
 .Dt LOGIN.CONF 5
 .Os
 .Sh NAME
@@ -60,6 +60,12 @@ in
 is used for any user without a valid login class in
 .Pa /etc/master.passwd .
 .Pp
+In case the
+.Pa /etc/login.conf.d/${ Ns Va class Ns }
+file exists, it will take precedence over the same login class
+defined in
+.Pa /etc/login.conf .
+.Pp
 Sites with very large
 .Pa /etc/login.conf
 files may wish to create a database version of the file,
@@ -79,7 +85,9 @@ Note that
 .Xr cap_mkdb 1
 must be run after each edit of
 .Pa /etc/login.conf
-to keep the database version in sync with the plain file.
+or the
+.Pa /etc/login.conf.d/${class}
+file to keep the database version in sync with the plain file.
 .Sh CAPABILITIES
 Refer to
 .Xr cgetent 3
@@ -916,6 +924,9 @@ option to login, respectively.
 .Bl -tag -width "/etc/login.conf"
 .It Pa /etc/login.conf
 Login class capability database.
+.It Pa /etc/login.conf.d/${ Ns Va class Ns }
+Login class capability database for the specified
+login class.
 .El
 .Sh SEE ALSO
 .Xr cap_mkdb 1 ,