Library functions relating to the login class capabilities database,

including manpages.
See also login_cap.h.

11 files changed, 2644 insertions, 2 deletions

diff --git a/lib/libutil/Makefile b/lib/libutil/Makefile
index e5f7063..2e6b8c8 100644
--- a/lib/libutil/Makefile
+++ b/lib/libutil/Makefile
@@ -4,9 +4,25 @@ LIB=	util
 SHLIB_MAJOR= 2
 SHLIB_MINOR= 1
 CFLAGS+=-DLIBC_SCCS -I${.CURDIR} -I/sys
-SRCS=	login.c login_tty.c logout.c logwtmp.c pty.c setproctitle.c
-MAN3+=	login.3 login_tty.3 logout.3 logwtmp.3 pty.3 setproctitle.3
+SRCS=	login.c login_tty.c logout.c logwtmp.c pty.c setproctitle.c \
+	login_cap.c login_class.c login_auth.c login_times.c login_ok.c
+MAN3+=	login.3 login_tty.3 logout.3 logwtmp.3 pty.3 setproctitle.3 \
+	login_cap.3 login_class.3 login_times.3 login_ok.3
+MAN5+=	login.conf.5
 MLINKS+= pty.3 openpty.3  pty.3 forkpty.3
+MLINKS+=login_cap.3 login_getclassbyname.3 login_cap.3 login_close.3 \
+	login_cap.3 login_getclass.3 login_cap.3 login_getuserclass.3 \
+	login_cap.3 login_getcapstr.3 login_cap.3 login_getcaplist.3 \
+	login_cap.3 login_getstyle.3 login_cap.3 login_getcaptime.3 \
+	login_cap.3 login_getcapnum.3 login_cap.3 login_getcapsize.3 \
+	login_cap.3 login_getcapbool.3 login_cap.3 login_getpath.3
+MLINKS+=login_class.3 setusercontext.3 login_class.3 setclasscontext.3 \
+	login_class.3 setclassenvironment.3 login_class.3 setclassresources.3
+MLINKS+=login_times.3 parse_lt.3 login_times.3 in_ltm.3 \
+	login_times.3 in_lt.3 login_times.3 in_ltms.3 \
+	login_times.3 in_lts.3
+MLINKS+=login_ok.3 auth_ttyok.3 login_ok.3 auth_hostok.3 \
+	login_ok.3 auth_timeok.3
 
 beforeinstall:
 	${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 ${.CURDIR}/libutil.h \
diff --git a/lib/libutil/login_auth.3 b/lib/libutil/login_auth.3
new file mode 100644
index 0000000..555195f
--- /dev/null
+++ b/lib/libutil/login_auth.3
@@ -0,0 +1,71 @@
+.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, is permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice immediately at the beginning of the file, without modification,
+.\"    this list of conditions, and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
+.\"    is permitted provided this notation is included.
+.\" 4. Absolutely no warranty of function or purpose is made by the author
+.\"    David Nugent.
+.\" 5. Modifications may be freely made to this file providing the above
+.\"    conditions are met.
+.\"
+.\" $Id$
+.\"
+.Dd December 29, 1996
+.Os FreeBSD
+.Dt LOGIN_AUTH 3
+.Sh NAME
+.Nm authenticate
+.Nm auth_script
+.Nm auth_env
+.Nm auth_scan
+.Nm auth_rmfiles
+.Nm auth_checknologin
+.Nm auth_cat
+.Nm auth_ttyok
+.Nm auth_hostok
+.Nm auth_timesok
+.Nd Authentication style support library for login class capabilities database.
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <login_cap.h>
+.Ft int
+.Fn authenticate "const char *name" "const char *classname" "const char *style" "const char *service"
+.Ft int
+.Fn auth_script "const char * path" ...
+.Ft int
+.Fn auth_env "void"
+.Ft int
+.Fn auth_scan "int ok"
+.Ft int
+.Fn auth_rmfiles "void"
+.Ft int
+.Fn auth_checknologin "login_cap_t *lc"
+.Ft int
+.Fn auth_cat "const char *file"
+.Ft int
+.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
+.Ft int
+.Fn auth_hostok "login_cap_t *lc" "const char *hostname" "char const *ip"
+.Ft int
+.Fn auth_timesok "login_cap_t *lc" "time_t now"
+.Sh DESCRIPTION
+This set of functions support the login class authorisation style interface provided
+by
+.Xr login.conf 5 .
+
+.Sh RETURN VALUES
+.Sh SEE ALSO
+.Xr login_cap 3 ,
+.Xr login_class 3 ,
+.Xr login.conf 5 ,
+.Xr termcap 5 ,
+.Xr getcap 3 
diff --git a/lib/libutil/login_auth.c b/lib/libutil/login_auth.c
new file mode 100644
index 0000000..38007b0
--- /dev/null
+++ b/lib/libutil/login_auth.c
@@ -0,0 +1,383 @@
+/*-
+ * Copyright (c) 1996 by
+ * Sean Eric Fagan <sef@kithrup.com>
+ * David Nugent <davidn@blaze.net.au>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, is permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice immediately at the beginning of the file, without modification,
+ *    this list of conditions, and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. This work was done expressly for inclusion into FreeBSD.  Other use
+ *    is permitted provided this notation is included.
+ * 4. Absolutely no warranty of function or purpose is made by the authors.
+ * 5. Modifications may be freely made to this file providing the above
+ *    conditions are met.
+ *
+ * Low-level routines relating to the user capabilities database
+ *
+ *	$Id$
+ */
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <login_cap.h>
+#include <stdarg.h>
+#include <paths.h>
+#include <sys/wait.h>
+
+extern char *fgetline(FILE *, int*);
+
+#ifdef RLIM_LONG
+# define STRTOV strtol
+#else
+# define STRTOV strtoq
+#endif
+
+#define AUTHMAXLINES  1024
+#define AUTHMAXARGS   16
+
+struct auth_info {
+  int reject;
+  int auths;
+  int env_count;
+  char **env;
+  int file_count;
+  char **files;
+};
+
+static struct auth_info auth_info;
+
+/*
+ * free_auth_info()
+ * Go through the auth_info structure, and free() anything of interest.
+ * This includes the string arrays, and any individual element.
+ * All part of being environmentally conscious ;).
+ */
+
+static void
+free_auth_info(void)
+{
+  int i;
+  char *ptr;
+
+  auth_info.reject = 0;
+  auth_info.auths = 0;
+  if (auth_info.env) {
+    for (i = 0; i < auth_info.env_count; i++) {
+      if (auth_info.env[i])
+	free(auth_info.env[i]);
+    }
+    free(auth_info.env);
+    auth_info.env = NULL;
+  }
+  if (auth_info.files) {
+    for (i = 0; i < auth_info.file_count; i++) {
+      if (auth_info.files[i])
+	free(auth_info.files[i]);
+    }
+    free(auth_info.files);
+    auth_info.files = NULL;
+  }
+}
+
+
+/*
+ * collect_info()
+ * Read from <fd>, a list of authorization commands.
+ * These commands are:
+ *	reject
+ *	authorize [root|secure]
+ *	setenv <name>[ <value>]
+ *	remove <file>
+ * A single reject means the entire thing is bad;
+ * multiple authorize statements can be present (it would be
+ * silly, but that's what the spec says).
+ * The commands are collected, and are accted upon by:
+ *	auth_scan()	-- check for authorization or rejection
+ *	auth_rmfiles()	-- remove the specified files
+ *	auth_env()	-- set the specified environment variables
+ * We only get up to AUTHMAXLINES lines of input from the program.
+ */
+#define STRSIZEOF(x)  (sizeof(x)-1)
+static void
+collect_info(int fd)
+{
+  char *line;
+  FILE *fp;
+  char *ptr;
+  int len;
+  int line_count = 0;
+
+  fp = fdopen(fd, "r");
+
+  while ((line = fgetline(fp, &len)) != NULL) {
+    if (++line_count > AUTHMAXLINES)
+      break;
+    if (strncasecmp(line, BI_REJECT, STRSIZEOF(BI_REJECT)) == 0) {
+      auth_info.reject = 1;
+    } else if (strncasecmp(line, BI_AUTH, STRSIZEOF(BI_AUTH)) == 0) {
+      ptr = line + STRSIZEOF(BI_AUTH);
+      ptr += strspn(ptr, " \t");
+      if (!*ptr)
+	auth_info.auths |= AUTH_OKAY;
+      else if (strncasecmp(ptr, BI_ROOTOKAY, STRSIZEOF(BI_ROOTOKAY)) == 0)
+	auth_info.auths |= AUTH_ROOTOKAY;
+      else if (strncasecmp(ptr, BI_SECURE, STRSIZEOF(BI_SECURE)) == 0)
+	auth_info.auths |= AUTH_SECURE;
+    } else if (strncasecmp(line, BI_SETENV, STRSIZEOF(BI_SETENV)) == 0) {
+      ptr = line + STRSIZEOF(BI_SETENV);
+      ptr += strspn(ptr, " \t");
+      if (*ptr) {
+	char **tmp = realloc(auth_info.env, sizeof(char*) * (auth_info.env_count + 1));
+	if (tmp != NULL) {
+	  auth_info.env = tmp;
+	  if ((auth_info.env[auth_info.env_count] = strdup(ptr)) != NULL)
+	    auth_info.env_count++;
+	}
+      }
+    } else if (strncasecmp(line, BI_REMOVE, STRSIZE(BI_REMOVE)) == 0) {
+      ptr = line + STRSIZE(BI_REMOVE);
+      ptr += strspn(ptr, " \t");
+      if (*ptr) {
+	char **tmp = realloc(auth_info.files, sizeof(char*) * (auth_info.file_count + 1));
+	if (tmp != NULL) {
+	  auth_info.files = tmp;
+	  if ((auth_info.files[auth_info.file_count] = strdup(ptr)) != NULL)
+	    auth_info.file_count++;
+	}
+      }
+    }
+  }
+  fclose(fp);
+}
+
+      
+/*
+ * authenticate()
+ * Starts an auth_script() for the given <user>, with a class <class>,
+ * style <style>, and service <service>.  <style> is necessary,
+ * as are <user> and <class>, but <service> is optional -- it defaults
+ * to "login".
+ * Since auth_script() expects an execl'able program name, authenticate()
+ * also concatenates <style> to _PATH_AUTHPROG.
+ * Lastly, calls auth_scan(AUTH_NONE) to see if there are any "reject" statements,
+ * or lack of "auth" statements.
+ * Returns -1 on error, 0 on rejection, and >0 on success.
+ * (See AUTH_* for the return values.)
+ *
+ */
+int
+authenticate(const char * name, const char * class, const char * style, const char *service)
+{
+  int retval;
+
+  if (style == NULL || *style == '\0')
+    retval = -1;
+  else {
+    char buf[sizeof(_PATH_AUTHPROG) + 64];
+
+    if (service == NULL || *service == '\0')
+      service = LOGIN_DEFSERVICE;
+
+    free_auth_info();
+
+    if (snprintf(buf, sizeof buf, _PATH_AUTHPROG "%s", style) >= sizeof buf)
+      retval = -1;
+    else {
+      retval = auth_script(buf, style, "-s", service, name, class, NULL);
+      if (retval >= 0)
+	retval = auth_scan(AUTH_NONE);
+    }
+  }
+  return retval;
+}
+
+
+/*
+ * auth_script()
+ * Runs an authentication program with specified arguments.
+ * It sets up file descriptor 3 for the program to write to;
+ * it stashes the output somewhere.  The output of the program
+ * consists of statements:
+ *	reject
+ *	authorize [root|secure]
+ *	setenv <name> [<value>]
+ *	remove <file>
+ *
+ * Terribly exciting, isn't it?  There is no limit specified in
+ * BSDi's API for how much output can be present, but we should
+ * keep it fairly small, I think.
+ * No more than AUTHMAXLINES lines.
+ */
+
+int
+auth_script(const char * path, ...)
+{
+  va_list ap;
+  int pid, status;
+  int argc = 0;
+  int p[2];	/* pipes */
+  char *argv[AUTHMAXARGS+1];
+
+  va_start(ap, path);
+  while (argc < AUTHMAXARGS && (argv[argc++] = va_arg(ap, char*)) != NULL)
+    ;
+  argv[argc] = NULL;
+  va_end(ap);
+
+  fflush(NULL);
+
+  if (pipe(p) >= 0) {
+    if ((pid = fork()) == -1) {
+      close(p[0]);
+      close(p[1]);
+    } else if (pid == 0) {    /* Child */
+      close(p[0]);
+      dup2(p[1], 3);
+      if (setenv("PATH", _PATH_DEFPATH, 1)==0 && setenv("SHELL", _PATH_BSHELL, 1)==0)
+	execv(path, argv);
+      _exit(1);
+    } else {
+      close(p[1]);
+      collect_info(p[0]);
+      if (waitpid(pid, &status, 0) != -1 && WIFEXITED(status) && !WEXITSTATUS(status))
+	return 0;
+    }
+  }
+  return -1;
+}
+
+
+/*
+ * auth_env()
+ * Processes the stored "setenv" lines from the stored authentication
+ * output.
+ */
+
+int
+auth_env(void)
+{
+  int i;
+
+  for (i = 0; i < auth_info.env_count; i++) {
+    char *nam = auth_info.env[i];
+    char *ptr = nam + strcspn(nam, " \t=");
+    if (*ptr) {
+      *ptr++ = '\0';
+      ptr += strspn(ptr, " \t");
+    }
+    setenv(nam, ptr, 1);
+  }
+}
+
+
+/*
+ * auth_scan()
+ * Goes through the output of the auth_script/authenticate, and
+ * checks for a failure or authentication.
+ * <ok> is a default authentication value -- if there are no
+ * rejection or authentication statements, then it is returned
+ * unmodified.
+ * AUTH_NONE is returned if there were any reject statements
+ * from the authentication program (invoked by auth_script()), and
+ * AUTH, AUTH_ROOTOKAY, and/or AUTH_SECURE are returned if the
+ * appropriate directives were found.  Note that AUTH* are
+ * *bitmasks*!
+ */
+
+int
+auth_scan(int ok)
+{
+  if (auth_info.reject)
+    return 0;
+  return ok | auth_info.auths;
+}
+
+
+/*
+ * auth_rmfiles()
+ * Removes any files that the authentication program said needed to be
+ * removed, said files having come from a previous execution of
+ * auth_script().
+ */
+
+int
+auth_rmfiles(void)
+{
+  int i = auth_info.file_count;
+  while (i-- > 0) {
+    unlink(auth_info.files[i]);
+    free(auth_info.files[i]);
+    auth_info.files[i] = NULL;
+  }
+}
+
+
+/*
+ * auth_checknologin()
+ * Checks for the existance of a nologin file in the login_cap
+ * capability <lc>.  If there isn't one specified, then it checks
+ * to see if this class should just ignore nologin files.  Lastly,
+ * it tries to print out the default nologin file, and, if such
+ * exists, it exits.
+ */
+
+void
+auth_checknologin(login_cap_t *lc)
+{
+  char *file;
+
+  /* Do we ignore a nologin file? */
+  if (login_getcapbool(lc, "ignorenologin", 0))
+    return;
+
+  /* Note that <file> will be "" if there is no nologin capability */
+  if ((file = login_getcapstr(lc, "nologin", "", NULL)) == NULL)
+    exit(1);
+
+  /*
+   * *file is true IFF there was a "nologin" capability
+   * Note that auth_cat() returns 1 only if the specified
+   * file exists, and is readable.  E.g., /.nologin exists.
+   */
+  if ((*file && auth_cat(file)) || auth_cat(_PATH_NOLOGIN))
+    exit(1);
+}
+
+
+/*
+ * auth_cat()
+ * Checks for the readability of <file>; if it can be opened for
+ * reading, it prints it out to stdout, and then exits.  Otherwise,
+ * it returns 0 (meaning no nologin file).
+ */
+int
+auth_cat(const char *file)
+{
+  int fd, count;
+  char buf[BUFSIZ];
+
+  if ((fd = open(file, O_RDONLY)) < 0)
+    return 0;
+  while ((count = read(fd, buf, sizeof(buf))) > 0)
+    write(fileno(stdout), buf, count);
+  close(fd);
+  return 1;
+}
diff --git a/lib/libutil/login_cap.3 b/lib/libutil/login_cap.3
new file mode 100644
index 0000000..3fbf3a6
--- /dev/null
+++ b/lib/libutil/login_cap.3
@@ -0,0 +1,378 @@
+.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, is permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice immediately at the beginning of the file, without modification,
+.\"    this list of conditions, and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
+.\"    is permitted provided this notation is included.
+.\" 4. Absolutely no warranty of function or purpose is made by the author
+.\"    David Nugent.
+.\" 5. Modifications may be freely made to this file providing the above
+.\"    conditions are met.
+.\"
+.\" $Id$
+.\"
+.Dd December 27, 1996
+.Os FreeBSD
+.Dt LOGIN_CAP 3
+.Sh NAME
+.Nm login_getclassbyname ,
+.Nm login_close ,
+.Nm login_getclass ,
+.Nm login_getuserclass ,
+.Nm login_getcapstr ,
+.Nm login_getcaplist ,
+.Nm login_getcaptime ,
+.Nm login_getcapnum ,
+.Nm login_getcapsize ,
+.Nm login_getcapbool ,
+.Nm login_getstyle
+.Nd functions for accessing the login class capabilities database.
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <login_cap.h>
+.Ft void
+.Fn login_close "login_cap_t * lc"
+.Ft login_cap_t *
+.Fn login_getclassbyname "const char *nam" "const char *dir"
+.Ft login_cap_t *
+.Fn login_getclass "const struct passwd *pwd"
+.Ft login_cap_t *
+.Fn login_getuserclass "const struct passwd *pwd"
+.Ft char *
+.Fn login_getcapstr "login_cap_t *lc" "const char *cap" "char *def" "char *error"
+.Ft char **
+.Fn login_getcaplist "login_cap_t *lc" "const char *cap" "const char *chars"
+.Ft char *
+.Fn login_getpath "login_cap_t *lc" "const char *cap" "char *error"
+.Ft rlim_t
+.Fn login_getcaptime "login_cap_t *lc" "const char *cap" "rlim_t def" "rlim_t error"
+.Ft rlim_t
+.Fn login_getcapnum "login_cap_t *lc" "const char *cap" "rlim_t def" "rlim_t error"
+.Ft rlim_t
+.Fn login_getcapsize "login_cap_t *lc" const "char *cap" "rlim_t def" "rlim_t error"
+.Ft int
+.Fn login_getcapbool "login_cap_t *lc" "const char *cap" "int def"
+.Ft char *
+.Fn login_getstyle "login_cap_t *lc" "char *style" "const char *auth"
+.Pp
+.Sh DESCRIPTION
+These functions represent a programming interface to the login
+classes database provided in
+.Xr login.conf 5 .
+This database contains capabilities, attributes and default environment
+and accounting settings for users and programs running as specific users,
+as determined by the login class field within entries in
+.Pa /etc/master.passwd .
+.Pp
+Entries in
+.Xr login.conf 5
+consist of colon
+.Ql \&:
+separated fields, the first field in each record being one or more
+identifiers for the record which must be unique for the entire database
+each separated by a '|' and may optionally include a description as
+the last 'name'.
+Remaining fields in the record consist of keyword/data pairs.
+Long lines may be continued with a backslash within empty entries
+with the second and subsequent lines optionally indented for readability.
+This is similar to the format used in
+.Xr termcap 5
+except that keywords are not limited to two significant characters,
+and are usually longer for improved readability.
+As with termcap entries, multiple records can be linked together
+(one record including another) using a field containing tc=<recordid>,
+the result is that the entire record referenced by <recordid> replaces
+the tc= field at the point at which it occurs.
+See
+.Xr getcap 3
+for further details on the format and use of a capabilities database.
+.Pp
+The
+.Nm login_cap
+interface provides a convenient means of retrieving login class
+records with all tc= references expanded.
+A program will typically call one of
+.Fn login_getclass ,
+.Fn login_getuserclass
+or
+.Fn login_getclassbyname
+according to its requirements.
+Each of these functions returns a login capabilities structure,
+.Ft login_cap_t
+which may subsequently be used to interrogate the database for
+specific values using the rest of the API.
+Once the login_cap_t is of no further use, the
+.Fn login_close
+function should be called to free all resources used.
+.Pp
+The structure of login_cap_t is defined in login_cap.h, as:
+.Bd -literal -offset indent
+typedef struct {
+	char *lc_class;
+	char *lc_cap;
+	char *lc_style;
+} login_cap_t;
+.Ed
+.Pp
+The
+.Ar lc_class
+member contains a pointer to the name of the login class
+retrieved.
+This may not necessarily be the same as the one requested,
+either directly via
+.Fn login_getclassbyname ,
+or indirectly via a user's login record using
+.Fn login_getclass
+or
+.Fn login_getuserclass .
+If the referenced user has no login class specified in
+.Pa /etc/master.passwd ,
+the class name is NULL or an empty string, or if the class
+specified does not exist in the database, each of these
+functions will search for a record with an id of "default",
+with that name returned in the
+.Ar lc_class
+field.
+.Pp
+The
+.Ar lc_cap
+field is used internally by the library to contain the
+expanded login capabilities record.
+Programs with unusual requirements may wish to use this
+with the lower-level
+.Fn getcap
+style functions to access the record directly.
+.Pp
+The
+.Ar lc_style
+field is set by the
+.Fn login_getstyle
+function to the authorisation style according to the requirements
+of the program handling a login itself.
+.Pp
+As noted above, the
+.Fn get*class
+functions return a login_cap_t object which is used to access
+the matching or default record in the capabilities database.
+.Fn getclassbyname
+accepts two arguments: the first one is the record identifier of the
+record to be retrieved, the second being an optional directory name.
+If the first
+.Ar name
+argument is NULL, an empty string, or a class that does not exist
+in the supplimental or system login class database, then the system
+.Em default
+record is returned instead.
+If the second
+.Ar dir
+parameter is NULL, then only the system login class database is
+used, but when not NULL, the named directory is searched for
+a login database file called ".login.conf", and capability records
+contained within it may override the system defaults.
+This scheme allows users to override some login settings from
+those in the system login class database by creating class records
+for their own private class with a record id of `me'.
+In the context of a 
+.Em login ,
+it should be noted that some options cannot by overridden by
+users for two reasons; many options, such as resource settings
+and deafult process priorities, require root privileges 
+in order to take effect, and other fields in the user's file are
+not be consulted at all during the early phases of login for
+security or administrative reasons.
+See
+.Xr login.conf 5
+for more information on which settings a user is able to override.
+Typically, these are limited purely to the user's default login
+environment which might otherwise have been overridden in shell
+startup scripts in any case.
+The user's
+.Pa .login.conf
+merely provides a convenient way for a user to set up their preferred
+login environment before the shell is invoked on login.
+.Pp
+If the specified record is NULL, empty or does not exist, and the
+system has no "default" record available to fallback, there is a
+memory allocation error or for some reason
+.Xr cgetent 3
+is unable to access the login capabilities database, this function
+returns NULL.
+.Pp
+The functions
+.Fn login_getclass
+and
+.Fn login_getuserclass
+retrieve the applicable login class record for the user's passwd
+entry by calling
+.Fn login_getclassbyname .
+On failure, NULL is returned.
+The difference between the two functions is that
+.Fn login_getuserclass
+includes the user's overriding
+.Pa .login.conf
+that exists in the user's home directory, while
+.Fn login_getclass
+restricts itself only to the system login class database in
+.Pa /etc/login.conf .
+In either case, if the passwd pointer is NULL, or the user has
+no class, then the system "default" entry is retrieved.
+.Pp
+Once a program no longer wishes to use a login_cap_t object,
+.Fn login_close
+may be called to free all resources used by the login class.
+.Fn login_close
+may be passed a NULL pointer with no harmful side-effects.
+.Pp
+The remaining functions may be used to retrieve individual
+capability records.
+Each function takes a login_cap_t object as its first parameter,
+a capability tag as the second, and remaining parameters being
+default and error values that are returned if the capability is
+not found.
+The type of the additional parameters passed and returned depend
+on the
+.Em type
+of capability each deals with, be it a simple string, a list,
+a time value, a file or memory size value, a path (consisting of
+a colon-separated list of directories) or a boolean flag.
+The manpage for
+.Xr login.conf 5
+deals in specific tags and their type.
+.Pp
+Note that with all functions in this group, you should not call 
+.Xr free 3
+on any pointers returned.
+Memory allocated during retrieval or processing of capability
+tags is automatically reused by subsequent calls to functions
+in this group, or deallocated on calling
+.Fn login_close .
+.Bl -tag -width "login_getcaplist()"
+.It Fn login_getcapstr
+This function returns a simple string capability.
+If the string is not found, then the value in
+.Ar def
+is returned as the default value, or if an error
+occurs, the value in the
+.Ar error
+parameter is returned.
+.It Fn login_getcaplist
+This function returns the value corresponding to the named
+capability tag as a list of values in a NULL terminated
+array.
+Within the login class database, some tags are of type
+.Em list ,
+which consist of one or more comma- or space separated
+values.
+Usually, this function is not called directly from an
+application, but is used indirectly via
+.Fn login_getstyle .
+.It Fn login_getpath
+This function returns a list of directories separated by colons
+.Ql &: .
+Capability tags for which this function is called consist of a list of
+directories separated by spaces.
+.It Fn login_getcaptime
+This function returns a
+.Em time value
+associated with a particular capability tag with the value expressed
+in seconds (the default), minutes, hours, days, weeks or (365 day)
+years or any combination of these.
+A suffix determines the units used: S for seconds, M for minutes,
+H for hours, D for days, W for weeks and Y for 365 day years.
+Case of the units suffix is ignored.
+.Pp
+Time values are normally used for setting resource, accounting and
+session limits.
+If supported by the operating system and compiler (which is true of
+FreeBSD), the value returned is a quad (long long), of type
+.Em rlim_t .
+A value "inf" or "infinity" may be used to express an infinite
+value, in which case RLIM_INFINITY is returned.
+.It Fn login_getcapnum
+This function returns a numeric value for a tag, expressed either as
+tag=<value> or the standard
+.Fn cgetnum
+format tag#<value>.
+The first format should be used in preference to the second, the
+second format is provided for compatibility and consistency with the
+.Xr getcap 3
+database format where numeric types use the
+.Ql \&#
+as the delimiter for numeric values.
+If in the first format, then the value given may be "inf" or
+"infinity" which results in a return value of RLIM_INFINITY.
+If the given capability tag cannot be found, the
+.Ar def
+parameter is returned, and if an error occurs, the 
+.Ar error
+parameter is returned.
+.It Fn login_getcapsize
+.Fn login_getcapsize
+returns a value representing a size (typicially, file or memory)
+which may be expressed as bytes (the default), 512 byte blocks,
+kilobytes, megabytes, gigabytes, and on systems that support the
+.Ar long long
+type, terrabytes.
+The suffix used determines the units, and multiple values and
+units may be used in combination (e.g. 1m500k = 1.5 megabytes).
+A value with no suffix is interpreted as bytes,  B as 512-byte
+blocks, K as kilobytes, M as megabytes, G as gigabytes and T as
+terrabytes.
+Case is ignored.
+The error value is returned if there is a login capabilities database
+error, if an invalid suffix is used, or if a numeric value cannot be
+interpreted.
+.It Fn login_getcapbool
+This function returns a boolean value tied to a particular flag.
+It returns 0 if the given capability tag is not present or is
+negated by the presence of a "tag@" (See
+.Xr getcap 3
+for more information on boolean flags), and returns 1 if the tag
+is found.
+.It Fn login_getstyle
+This function is used by the login authorisation system to determine
+the style of login available in a particular case.
+The function accepts three parameters, the login_cap entry itself and
+two optional parameters, and authorisation type 'auth' and 'style', and
+applies these to determine the authorisation style that best suites
+these rules.
+.Bl -bullet -indent offset
+.It
+If 'auth' is neither NULL nor an empty string, look for a tag of type
+"auth-<auth>" in the capability record.
+If not present, then look for the default default tag "auth=".
+.It
+If no valid authorisation list was found from the previous step, then
+default to "passwd" as the authorisation list.
+.It
+If 'style' is not NULL or empty, look for it in the list of authorisation
+methods found from the pprevious step.
+If 'style' is NULL or an empty string, then default to "passwd"
+authorisation.
+.It
+If 'style' is found in the chosen list of authorisation methods, then
+return that, otherwise return NULL.
+.El
+.Pp
+This scheme allows the administrator to determine the types of
+authorisation methods accepted by the system, depending on the
+means by which the access occurs.
+For example, the administrator may require skey or kerberos as
+the authentication method used for access to the system via the
+network, and standard methods via direct dialup or console
+logins, significantly reducing the risk of password discovery
+by "snooping" network packets.
+.El
+.Sh SEE ALSO
+.Xr login_class 3 ,
+.Xr login.conf 5 ,
+.Xr termcap 5 ,
+.Xr getcap 3 
diff --git a/lib/libutil/login_cap.c b/lib/libutil/login_cap.c
new file mode 100644
index 0000000..21ff02f1
--- /dev/null
+++ b/lib/libutil/login_cap.c
@@ -0,0 +1,564 @@
+/*-
+ * Copyright (c) 1996 by
+ * Sean Eric Fagan <sef@kithrup.com>
+ * David Nugent <davidn@blaze.net.au>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, is permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice immediately at the beginning of the file, without modification,
+ *    this list of conditions, and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. This work was done expressly for inclusion into FreeBSD.  Other use
+ *    is permitted provided this notation is included.
+ * 4. Absolutely no warranty of function or purpose is made by the authors.
+ * 5. Modifications may be freely made to this file providing the above
+ *    conditions are met.
+ *
+ * Low-level routines relating to the user capabilities database
+ *
+ *	$Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/param.h>
+#include <pwd.h>
+#include <login_cap.h>
+
+#ifdef RLIM_LONG
+# define STRTOV strtol
+#else
+# define STRTOV strtoq
+#endif
+
+static int lc_object_count = 0;
+
+static size_t internal_stringsz = 0;
+static char * internal_string = NULL;
+static size_t internal_arraysz = 0;
+static char ** internal_array = NULL;
+
+static char *
+allocstr(char * str)
+{
+  char * p;
+  size_t sz = strlen(str) + 1;	/* realloc() only if necessary */
+  if (sz <= internal_stringsz)
+    p = internal_string;
+  else if ((p = realloc(internal_string, sz)) != NULL)  {
+    internal_stringsz = sz;
+    internal_string = strcpy(p, str);
+  }
+  return p;
+}
+
+static char **
+allocarray(size_t sz)
+{
+  char ** p;
+  if (sz <= internal_arraysz)
+    p = internal_array;
+  else if ((p = realloc(internal_array, sz * sizeof(char*))) != NULL) {
+    internal_arraysz = sz;
+    internal_array = p;
+  }
+  return p;
+}
+
+
+/*
+ * arrayize()
+ * Turn a simple string <str> seperated by any of
+ * the set of <chars> into an array.  The last element
+ * of the array will be NULL, as is proper.
+ * Free using freearraystr()
+ */
+
+static char **
+arrayize(char *str, const char *chars, int *size)
+{
+  int i;
+  char *ptr;
+  char **res = NULL;
+
+  for (i = 0, ptr = str; *ptr; i++) {
+    int count = strcspn(ptr, chars);
+    ptr = ptr + count + 1;
+  }
+
+  if ((ptr = allocstr(str)) == NULL) {
+    res = NULL;
+    i = 0;
+  } else if ((res = allocarray(++i)) == NULL) {
+    free(str);
+    i = 0;
+  } else {
+    for (i = 0; *ptr; i++) {
+      int count = strcspn(ptr, chars);
+      res[i] = ptr;
+      ptr += count;
+      if (*ptr)
+	*ptr++ = '\0';
+    }
+    res[i] = 0;
+  }
+  if (size)
+    *size = i;
+  return res;
+}
+
+static void
+freearraystr(char ** array)
+{
+  /*
+   * the array[0] should be free'd, and then array.
+   */
+  if (array) {
+    free(array[0]);
+    free(array);
+  }
+}
+
+
+/*
+ * login_close()
+ * Frees up all resources relating to a login class
+ *
+ */
+
+void
+login_close(login_cap_t * lc)
+{
+  if (lc) {
+    free(lc->lc_style);
+    free(lc->lc_class);
+    free(lc);
+    if (--lc_object_count == 0) {
+      free(internal_string);
+      free(internal_array);
+      internal_array = NULL;
+      internal_string = NULL;
+      cgetclose();
+    }
+  }
+}
+
+
+/*
+ * login_getclassbyname() get the login class by its name.
+ * If the name given is NULL or empty, the default class
+ * LOGIN_DEFCLASS (ie. "default") is fetched. If the
+ * 'dir' argument contains a non-NULL non-empty string,
+ * then the file _FILE_LOGIN_CONF is picked up from that
+ * directory instead of the system login database.
+ * Return a filled-out login_cap_t structure, including
+ * class name, and the capability record buffer.
+ */
+
+login_cap_t *
+login_getclassbyname(char const * name, char const * dir)
+{
+  login_cap_t *lc = malloc(sizeof(login_cap_t));
+  
+  if (lc != NULL) {
+    int   i = 0;
+    char  userpath[MAXPATHLEN];
+    static char *login_dbarray[] = { NULL, NULL, NULL };
+
+    if (dir && snprintf(userpath, MAXPATHLEN, "%s/%s", dir, _FILE_LOGIN_CONF) < MAXPATHLEN)
+      login_dbarray[i++] = userpath;
+    else
+      login_dbarray[i++]   = _PATH_LOGIN_CONF;
+    login_dbarray[i  ]   = NULL;
+
+    lc->lc_cap = lc->lc_class = lc->lc_style = NULL;
+
+    if ((name == NULL || cgetent(&lc->lc_cap, login_dbarray, (char*)name) != 0) &&
+	cgetent(&lc->lc_cap, login_dbarray, (char*)(name = LOGIN_DEFCLASS)) != 0) {
+	free(lc);
+	lc = NULL;
+    } else {
+      ++lc_object_count;
+      lc->lc_class = strdup(name);
+    }
+  }
+
+  return lc;
+}
+
+
+
+/*
+ * login_getclass()
+ * Get the login class for a given password entry from
+ * the system (only) login class database.
+ * If the password entry's class field is not set, or
+ * the class specified does not exist, then use the
+ * default of LOGIN_DEFCLASS (ie. "default").
+ * Return a filled-out login_cap_t structure, including
+ * class name, and the capability record buffer.
+ */
+
+login_cap_t *
+login_getclass(const struct passwd *pwd)
+{
+  const char * class = (pwd == NULL) ? NULL : pwd->pw_class;
+  if (pwd->pw_class == NULL || *pwd->pw_class == '\0')
+    class = (pwd->pw_uid == 0) ? "root" : NULL;  /* Kludge for 'root' user(s) */
+  return login_getclassbyname(class, 0);
+}
+
+
+/*
+ * login_getuserclass()
+ * Get the login class for a given password entry, allowing user
+ * overrides via ~/.login_conf.
+ * ### WAS: If the password entry's class field is not set,
+ * #######  or the class specified does not exist, then use
+ * If an entry with the recordid "me" does not exist, then use
+ * the default of LOGIN_DEFCLASS (ie. "default").
+ * Return a filled-out login_cap_t structure, including
+ * class name, and the capability record buffer.
+ */
+
+login_cap_t *
+login_getuserclass(const struct passwd *pwd)
+{
+  const char * class = "me"; /* (pwd == NULL) ? NULL : pwd->pw_class; */
+  const char * home  = (pwd == NULL) ? NULL : pwd->pw_dir;
+  return login_getclassbyname(class, home);
+}
+
+
+
+/*
+ * login_getcapstr()
+ * Given a login_cap entry, and a capability name, return the
+ * value defined for that capability, a defualt if not found, or
+ * an error string on error.
+ */
+
+char *
+login_getcapstr(login_cap_t *lc, const char *cap, char *def, char *error)
+{
+  char *res;
+  int ret;
+
+  if (lc == NULL || cap == NULL || lc->lc_cap == NULL || *cap == '\0')
+    return def;
+
+  if ((ret = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1) {
+    return def;
+  } else if (ret >= 0)
+    return res;
+  else
+    return error;
+}
+
+
+/*
+ * login_getcaplist()
+ * Given a login_cap entry, and a capability name, return the
+ * value defined for that capability split into an array of
+ * strings.
+ */
+
+char **
+login_getcaplist(login_cap_t *lc, const char * cap, const char * chars)
+{
+  char * lstring;
+
+  if (chars == NULL)
+    chars = ". \t";
+  if ((lstring = login_getcapstr(lc, (char*)cap, NULL, NULL)) != NULL)
+    return arrayize(lstring, chars, NULL);
+  return NULL;
+}
+
+
+/*
+ * login_getpath()
+ * From the login_cap_t <lc>, get the capability <cap> which is
+ * formatted as either a space or comma delimited list of paths
+ * and append them all into a string and separate by semicolons.
+ * If there is an error of any kind, return <error>.
+ */
+
+char *
+login_getpath(login_cap_t *lc, const char *cap, char * error)
+{
+  char *ptr, *str = login_getcapstr(lc, (char*)cap, NULL, NULL);
+
+  if (str == NULL || (ptr = allocstr(str)) == NULL)
+    str = error;
+  else {
+    while (*ptr) {
+      int count = strcspn(ptr, ", \t");
+      ptr += count;
+      if (*ptr)
+	*ptr++ = ':';
+    }
+  }
+  return str;
+}
+
+
+/*
+ * login_getcaptime()
+ * From the login_cap_t <lc>, get the capability <cap>, which is
+ * formatted as a time (e.g., "<cap>=10h3m2s").  If <cap> is not
+ * present in <lc>, return <def>; if there is an error of some kind,
+ * return <error>.
+ */
+
+rlim_t
+login_getcaptime(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error)
+{
+  char *res, *ep;
+  int ret;
+  rlim_t tot = 0, tim;
+
+  errno = 0;
+  if (lc == NULL || lc->lc_cap == NULL)
+    return def;
+
+  /*
+   * Look for <cap> in lc_cap.
+   * If it's not there (-1), return <def>.
+   * If there's an error, return <error>.
+   */
+
+  if ((ret = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1)
+    return def;
+  else if (ret < 0)
+    return error;
+
+  /*
+   * "inf" and "infinity" are two special cases for this.
+   */
+  if (!strcasecmp(res, "infinity") || !strcasecmp(res, "inf"))
+    return RLIM_INFINITY;
+
+  /*
+   * Now go through the string, turning something like 1h2m3s into
+   * an integral value.  Whee.
+   */
+
+  errno = 0;
+  while (*res) {
+    tim = STRTOV(res, &ep, 0);
+    if ((ep == NULL) || (ep == res) || errno) {
+      return error;
+    }
+    /* Look for suffixes */
+    switch (*ep++) {
+    case 0:
+      ep--; break;	/* end of string */
+    case 's': case 'S':	/* seconds */
+      break;
+    case 'm': case 'M':	/* minutes */
+      tim *= 60L;
+      break;
+    case 'h': case 'H':	/* hours */
+      tim *= (60L * 60L);
+      break;
+    case 'd': case 'D':	/* days */
+      tim *= (60L * 60L * 24L);
+      break;
+    case 'w': case 'W':	/* weeks */
+      tim *= (60L * 60L * 24L * 7L);
+    case 'y': case 'Y':	/* Years */
+      /* I refuse to take leap years into account here.  Sue me. */
+      tim *= (60L * 60L * 24L * 365L);
+    default:
+      return error;
+    }
+    res = ep;
+    tot += tim;
+  }
+  return tot;
+}
+
+
+/*
+ * login_getcapnum()
+ * From the login_cap_t <lc>, extract the numerical value <cap>.
+ * If it is not present, return <def> for a default, and return
+ * <error> if there is an error.
+ * Like login_getcaptime(), only it only converts to a number, not
+ * to a time; "infinity" and "inf" are 'special.'
+ */
+
+rlim_t
+login_getcapnum(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error)
+{
+  char *ep, *res;
+  int ret;
+  rlim_t val;
+
+  if (lc == NULL || lc->lc_cap == NULL)
+    return def;
+
+  /*
+   * For BSDI compatibility, try for the tag=<val> first
+   */
+  if ((ret = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1) {
+    long lval;
+    /*
+     * String capability not present, so try for tag#<val> as numeric
+     */
+    if ((ret = cgetnum(lc->lc_cap, (char *)cap, &lval)) == -1)
+      return def; /* Not there, so return default */
+    else if (ret < 0)
+      return error;
+    return (rlim_t)lval;
+  }
+  else if (ret < 0)
+    return error;
+
+  if (!strcasecmp(res, "infinity") || !strcasecmp(res, "inf"))
+    return RLIM_INFINITY;
+
+  errno = 0;
+  val = STRTOV(res, &ep, 0);
+  if ((ep == NULL) || (ep == res) || errno)
+    return error;
+  return val;
+}
+
+
+/*
+ * login_getcapsize()
+ * From the login_cap_t <lc>, extract the capability <cap>, which is
+ * formatted as a size (e.g., "<cap>=10M"); it can also be "infinity".
+ * If not present, return <def>, or <error> if there is an error of
+ * some sort.
+ */
+
+rlim_t
+login_getcapsize(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) {
+  char *ep, *res;
+  int ret;
+  rlim_t val;
+  rlim_t mult;
+
+  if (lc == NULL || lc->lc_cap == NULL)
+    return def;
+
+  if ((ret = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1)
+    return def;
+  else if (ret < 0)
+    return error;
+
+  errno = 0;
+  val = STRTOV(res, &ep, 0);
+  if ((res == NULL) || (res == ep) || errno)
+    return error;
+  switch (*ep) {
+  case 0:	/* end of string */
+    mult = 1; break;
+  case 'b': case 'B':	/* 512-byte blocks */
+    mult = 512; break;
+  case 'k': case 'K':	/* 1024-byte Kilobytes */
+    mult = 1024; break;
+  case 'm': case 'M':	/* 1024-k kbytes */
+    mult = 1024 * 1024; break;
+  case 'g': case 'G':	/* 1Gbyte */
+    mult = 1024 * 1024 * 1024; break;
+#ifndef RLIM_LONG
+  case 't': case 'T':	/* 1TBte */
+    mult = 1024LL * 1024LL * 1024LL * 1024LL; break;
+#endif
+  default:
+    return error;
+  }
+  return val * mult;
+}
+
+
+/*
+ * login_getcapbool()
+ * From the login_cap_t <lc>, check for the existance of the capability
+ * of <cap>.  Return <def> if <lc>->lc_cap is NULL, otherwise return
+ * the whether or not <cap> exists there.
+ */
+
+int
+login_getcapbool(login_cap_t *lc, const char *cap, int def)
+{
+  if (lc == NULL || lc->lc_cap == NULL)
+    return def;
+  return (cgetcap(lc->lc_cap, (char *)cap, ':') != NULL);
+}
+
+
+/*
+ * login_getstyle()
+ * Given a login_cap entry <lc>, and optionally a type of auth <auth>,
+ * and optionally a style <style>, find the style that best suits these
+ * rules:
+ *	1.  If <auth> is non-null, look for an "auth-<auth>=" string
+ *	in the capability; if not present, default to "auth=".
+ *	2.  If there is no auth list found from (1), default to
+ *	"passwd" as an authorization list.
+ *	3.  If <style> is non-null, look for <style> in the list of
+ *	authorization methods found from (2); if <style> is NULL, default
+ *	to LOGIN_DEFSTYLE ("passwd").
+ *	4.  If the chosen style is found in the chosen list of authorization
+ *	methods, return that; otherwise, return NULL.
+ * E.g.:
+ *     login_getstyle(lc, NULL, "ftp");
+ *     login_getstyle(lc, "login", NULL);
+ *     login_getstyle(lc, "skey", "network");
+ */
+
+char *
+login_getstyle(login_cap_t *lc, char *style, const char *auth)
+{
+  int  i;
+  char **authtypes = NULL;
+  char *auths= NULL;
+  char realauth[64];
+
+  static char *defauthtypes[] = { LOGIN_DEFSTYLE, NULL };
+
+  if (auth != NULL && *auth != '\0' &&
+      snprintf(realauth, sizeof realauth, "auth-%s", auth) < sizeof realauth)
+    authtypes = login_getcaplist(lc, realauth, NULL);
+
+  if (authtypes == NULL)
+    authtypes = login_getcaplist(lc, "auth", NULL);
+
+  if (authtypes == NULL)
+    authtypes = defauthtypes;
+
+  /*
+   * We have at least one authtype now; auths is a comma-seperated
+   * (or space-separated) list of authentication types.  We have to
+   * convert from this to an array of char*'s; authtypes then gets this.
+   */
+  i = 0;
+  if (style != NULL && *style != '\0') {
+    while (authtypes[i] != NULL && strcmp(style, authtypes[i]) != 0)
+      i++;
+  }
+  lc->lc_style = NULL;
+  if (authtypes[i] != NULL && (auths = strdup(authtypes[i])) != NULL)
+    lc->lc_style = auths;
+
+  return lc->lc_style;
+}
+
+
diff --git a/lib/libutil/login_class.3 b/lib/libutil/login_class.3
new file mode 100644
index 0000000..370bfbf
--- /dev/null
+++ b/lib/libutil/login_class.3
@@ -0,0 +1,187 @@
+.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, is permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice immediately at the beginning of the file, without modification,
+.\"    this list of conditions, and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
+.\"    is permitted provided this notation is included.
+.\" 4. Absolutely no warranty of function or purpose is made by the author
+.\"    David Nugent.
+.\" 5. Modifications may be freely made to this file providing the above
+.\"    conditions are met.
+.\"
+.\" $Id$
+.\"
+.Dd December 28, 1996
+.Os FreeBSD
+.Dt LOGIN_CLASS 3
+.Sh NAME
+.Nm setclasscontext ,
+.Nm setusercontext ,
+.Nm setclassresources ,
+.Nm setclassenvironment
+.Nd functions for using the login class capabilities database.
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <login_cap.h>
+.Ft int
+.Fn setclasscontext "char *classname" "unsigned int flags"
+.Ft int
+.Fn setusercontext "login_cap_t *lc" "const struct passwd *pwd" "uid_t uid" "unsigned int flags"
+.Ft void
+.Fn setclassresources "login_cap_t *lc"
+.Ft void
+.Fn setclassenvironment "login_cap_t *lc" "const struct passwd *pwd" "int paths"
+.Pp
+.Sh DESCRIPTION
+These functions provide a higher level interface to the login class
+database than those documented in
+.Xr login_cap 3 .
+These functions are used to set resource limits, environment and
+accounting settings for users on logging into the system and when
+selecting an appropriate set of environment and resource settings
+for system daemons based on login classes.
+These functions may only be called if the current process is
+running with root priviledges.
+If the LOGIN_SETLOGIN flag is used this function calls
+.Xr setlogin 2 ,
+and due care must be taken as detailed in the manpage for that
+function and this affects all processes running in the same session
+and not just the current process.
+.Pp
+.Fn setclasscontext
+sets various class context values (resource limits, umask and
+process priorities) based on values for a specific named class.
+.Pp
+The function
+.Fn setusercontext
+sets class context values based on a given login_cap_t
+object, a specific passwd record (if login_cap_t is NULL),
+sets the current session's login and the current process
+user and group ownership.
+Each of these functions is selectable via bit-flags passed
+in the
+.Ar flags
+parameter, which is comprised of one or more of the following:
+.Bl -tag -width LOGIN_SETRESOURCES
+.It LOGIN_SETLOGIN
+Set the login associated with the current session to the user
+specified in the passwd structure.
+.Xr setlogin 2 .
+The
+.Ar pwd
+parameter must not be NULL if this option is used.
+.It LOGIN_SETUSER
+Set ownship of the current process to the uid specified in the
+.Ar uid
+parameter using
+.Xr setuid 2 .
+.It LOGIN_SETGROUP
+Set group ownership of the current process to the group id
+specified in the passwd structure using
+.Xr setgid 2 ,
+and calls
+.Xr initgroups 3
+to set up the group access list for the current process.
+The
+.Ar pwd
+parameter must not be NULL if this option is used.
+.It LOGIN_SETRESOURCES
+Set resource limits for the current process based on values
+specified in the system login class database.
+Class capability tags used, with and without -cur (soft limit)
+or -max (hard limit) suffixes and the corresponding resource
+setting:
+.Bd -literal
+cputime       RLIMIT_CPU
+filesize      RLIMIT_FSIZE
+datasize      RLIMIT_DATA
+stacksize     RLIMIT_STACK
+coredumpsize  RLIMIT_CORE
+memoryuse     RLIMIT_RSS
+memorylocked  RLIMIT_MEMLOCK
+maxproc       RLIMIT_NPROC
+openfiles     RLIMIT_NOFILE
+.Ed
+.It LOGIN_SETPRIORITY
+Set the scheduling priority for the current process based on the
+value specified in the system login class database.
+Class capability tags used:
+.Bd -literal
+priority
+.Ed
+.It LOGIN_SETUMASK
+Set the umask for the current process to a value in the user or
+system login class database.
+Class capability tags used:
+.Bd -literal
+umask
+.Ed
+.It LOGIN_SETPATH
+Set the "path" and "manpath" environment variables based on values
+in the user or system login class database.
+Class capability tags used with the corresponding environment
+variables set:
+.Bd -literal
+path          PATH
+manpath       MANPATH
+.Ed
+.It LOGIN_SETENV
+Set various environment variables based on values in the user or
+system login class database.
+Class capability tags used with the corresponding environment
+variables set:
+.Bd -literal
+lang          LANG
+charset       MM_CHARSET
+timezone      TZ
+term          TERM
+.Ed
+.Pp
+Additional environment variables may be set using the list type
+capability "setenv=var1 val1,var2 val2..,varN valN".
+.It LOGIN_SETALL
+Enables all of the above settings.
+.El
+.Pp
+Note that when setting environment variables and a valid passwd
+pointer is provided in the
+.Ar pwd
+parameter, the characters
+.Ql \&~
+and
+.Ql \&$
+are substituted for the user's home directory and login name
+respectively.
+.Pp
+The
+.Fn setclassresources
+and
+.Fn setclassenvironment
+functions are subsets of the setcontext functions above, but may
+be useful in isolation.
+.Sh RETURN VALUES
+.Fn setclasscontext
+and
+.Fn setusercontext
+return -1 if an error occured, or 0 on success.
+If an error occurs when attempting to set the user, login, group
+or resources, a message is reported to
+.Xr syslog 3 ,
+with LOG_ERR priority and directed to the currently active facility.
+.Sh SEE ALSO
+.Xr setlogin 2 ,
+.Xr setuid 2 ,
+.Xr setgid 2 ,
+.Xr initgroups 3 ,
+.Xr login_cap 3 ,
+.Xr login.conf 5 ,
+.Xr termcap 5 ,
+.Xr getcap 3 
diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
new file mode 100644
index 0000000..1dc6cc4
--- /dev/null
+++ b/lib/libutil/login_class.c
@@ -0,0 +1,371 @@
+/*-
+ * Copyright (c) 1996 by
+ * Sean Eric Fagan <sef@kithrup.com>
+ * David Nugent <davidn@blaze.net.au>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, is permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice immediately at the beginning of the file, without modification,
+ *    this list of conditions, and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. This work was done expressly for inclusion into FreeBSD.  Other use
+ *    is permitted provided this notation is included.
+ * 4. Absolutely no warranty of function or purpose is made by the authors.
+ * 5. Modifications may be freely made to this file providing the above
+ *    conditions are met.
+ *
+ * High-level routines relating to use of the user capabilities database
+ *
+ *	$Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <syslog.h>
+#include <login_cap.h>
+#include <paths.h>
+
+
+#undef	UNKNOWN
+#define	UNKNOWN	"su"
+
+
+static struct login_res {
+  const char * what;
+  rlim_t (*who)(login_cap_t *, const char *, rlim_t, rlim_t);
+  int why;
+} resources[] = {
+  { "cputime",	    login_getcaptime, RLIMIT_CPU      },
+  { "filesize",     login_getcapsize, RLIMIT_FSIZE    },
+  { "datasize",     login_getcapsize, RLIMIT_DATA     },
+  { "stacksize",    login_getcapsize, RLIMIT_STACK    },
+  { "coredumpsize", login_getcapsize, RLIMIT_CORE     },
+  { "memoryuse",    login_getcapsize, RLIMIT_RSS      },
+  { "memorylocked", login_getcapsize, RLIMIT_MEMLOCK  },
+  { "maxproc",	    login_getcapnum,  RLIMIT_NPROC    },
+  { "openfiles",    login_getcapnum,  RLIMIT_NOFILE   },
+  { NULL,	    0,		      0 	      }
+};
+
+
+
+void
+setclassresources(login_cap_t *lc)
+{
+  struct login_res *lr = resources;
+
+  while (lr->what != NULL) {
+    struct rlimit rlim,
+		  newlim;
+    char	  cur[40],
+		  max[40];
+    rlim_t	  rcur,
+		  rmax;
+
+    sprintf(cur, "%s-cur", lr->what);
+    sprintf(max, "%s-max", lr->what);
+
+    /*
+     * The login.conf file can have <limit>, <limit>-max, and
+     * <limit>-cur entries.
+     * What we do is get the current current- and maximum- limits.
+     * Then, we try to get an entry for <limit> from the capability,
+     * using the current and max limits we just got as the
+     * default/error values.
+     * *Then*, we try looking for <limit>-cur and <limit>-max,
+     * again using the appropriate values as the default/error
+     * conditions.
+     */
+
+    getrlimit(lr->why, &rlim);
+    rcur = rlim.rlim_cur;
+    rmax = rlim.rlim_max;
+
+    rcur = (*lr->who)(lc, lr->what, rcur, rcur);
+    rmax = (*lr->who)(lc, lr->what, rmax, rmax);
+    newlim.rlim_cur = (*lr->who)(lc, cur, rcur, rcur);
+    newlim.rlim_max = (*lr->who)(lc, max, rmax, rmax);
+    
+    if (setrlimit(lr->why, &newlim) == -1)
+      syslog(LOG_WARNING, "set class '%s' resource limit %s: %m", lc->lc_class, lr->what);
+
+    ++lr;
+  }
+}
+
+static struct login_vars {
+  const char * tag;
+  const char * var;
+  const char * def;
+} pathvars[] = {
+  { "path",	"PATH",	      NULL    },
+  { "manpath",	"MANPATH",    NULL    },
+  { NULL,	NULL,	      NULL    }
+}, envars[] = {
+  { "lang",	"LANG",	      NULL    },
+  { "charset",	"MM_CHARSET", NULL    },
+  { "timezone", "TZ",	      NULL    },
+  { "term",	"TERM",       UNKNOWN },
+  { NULL,	NULL,	      NULL    }
+};
+
+static char *
+substvar(char * var, const struct passwd * pwd, int hlen, int pch, int nlen)
+{
+  char * np = NULL;
+
+  if (var != NULL) {
+    int tildes = 0;
+    int dollas = 0;
+    char * p;
+
+    if (pwd != NULL) {
+      /*
+       * Count the number of ~'s in var to substitute
+       */
+      p = var;
+      while ((p = strchr(p, '~')) != NULL) {
+	++tildes;
+	++p;
+      }
+
+      /*
+       * Count the number of $'s in var to substitute
+       */
+      p = var;
+      while ((p = strchr(p, '$')) != NULL) {
+        ++dollas;
+        ++p;
+      }
+    }
+
+    np = malloc(strlen(var) + (dollas * nlen) - dollas + (tildes * (pch+hlen)) - tildes + 1);
+
+    if (np != NULL) {
+      p = strcpy(np, var);
+
+      if (pwd != NULL) {
+	/*
+	 * This loop does user username and homedir substitutions
+	 * for unescaped $ (username) and ~ (homedir)
+	 */
+	while (*(p += strcspn(p, "~$")) != '\0') {
+	  int l = strlen(p);
+
+	  if (p > var && *(p-1) == '\\')  /* Escaped: */
+	    memmove(p - 1, p, l + 1);	    /* Slide-out the backslash */
+	  else if (*p == '~') {
+	    memmove(p + 1, p + hlen + pch, l);  /* Subst homedir */
+	    memmove(p, pwd->pw_dir, hlen);
+	    if (pch)
+      	      p[hlen] = '/';
+	    p += hlen + pch;
+	  }
+	  else /* if (*p == '$') */ {
+	    memmove(p + 1, p + nlen, l);	/* Subst username */
+	    memmove(p, pwd->pw_name, nlen);
+	    p += nlen;
+	  }
+	}
+      }
+    }
+  }
+  return np;
+}
+
+
+void
+setclassenvironment(login_cap_t *lc, const struct passwd * pwd, int paths)
+{
+  struct login_vars * vars = paths ? pathvars : envars;
+  int hlen = pwd ? strlen(pwd->pw_dir) : 0;
+  int nlen = pwd ? strlen(pwd->pw_name) : 0;
+  char pch = 0;
+
+  if (hlen && pwd->pw_dir[hlen-1] != '/')
+    ++pch;
+
+  while (vars->tag != NULL) {
+    char * var = paths ? login_getpath(lc, vars->tag, NULL)
+		       : login_getcapstr(lc, vars->tag, NULL, NULL);
+
+    char * np  = substvar(var, pwd, hlen, pch, nlen);
+
+    if (np != NULL) {
+      setenv(vars->var, np, 1);
+      free(np);
+    } else if (vars->def != NULL) {
+      setenv(vars->var, vars->def, 0);
+    }
+    ++vars;
+  }
+
+  /*
+   * If we're not processing paths, then see if there is a setenv list by
+   * which the admin and/or user may set an arbitrary set of env vars.
+   */
+  if (!paths) {
+    char ** set_env = login_getcaplist(lc, "setenv", ",");
+    if (set_env != NULL) {
+      while (*set_env != NULL) {
+	char *p = strchr(*set_env, '=');
+	if (p != NULL) {
+	  char * np = substvar(set_env[1], pwd, hlen, pch, nlen);
+	  if (np != NULL) {
+	    setenv(set_env[0], np, 1);
+	    free(np);
+	  }
+	}
+	++set_env;
+      }
+    }
+  }
+
+}
+
+
+/*
+ * setclasscontext()
+ *
+ * For the login class <class>, set various class context values
+ * (limits, mainly) to the values for that class.  Which values are
+ * set are controlled by <flags> -- see <login_class.h> for the
+ * possible values.
+ *
+ * setclasscontext() can only set resources, priority, and umask.
+ */
+
+int
+setclasscontext(const char *classname, unsigned int flags)
+{
+  int rc;
+  login_cap_t * lc = login_getclassbyname(classname, NULL);
+  flags &= (LOGIN_SETRESOURCES| LOGIN_SETPRIORITY|LOGIN_SETUMASK);
+  rc = setusercontext(lc, NULL, 0, flags);
+  login_close(lc);
+  return rc;
+}
+
+
+/*
+ * setusercontext()
+ *
+ * Given a login class <lc> and a user in <pwd>, with a uid <uid>,
+ * set the context as in setclasscontext().  <flags> controls which
+ * values are set.
+ *
+ * The difference between setclasscontext() and setusercontext() is
+ * that the former sets things up for an already-existing process,
+ * while the latter sets things up from a root context.  Such as might
+ * be called from login(1).
+ *
+ */
+
+int
+setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned int flags)
+{
+  int i;
+  login_cap_t * llc = NULL;
+
+  if (lc == NULL)
+  {
+    if (pwd == NULL || (lc = login_getclass(pwd)) == NULL) {
+      return -1;
+    }
+    llc = lc; /* free this when we're done */
+  }
+
+  if (flags & LOGIN_SETPATH)
+    pathvars[0].def = uid ? _PATH_DEFPATH : _PATH_STDPATH;
+
+  /*
+   * Set the process priority
+   */
+  if (flags & LOGIN_SETPRIORITY) {
+    int pri = (int)login_getcapnum(lc, "priority", LOGIN_DEFPRI, LOGIN_DEFPRI);
+    pri = (pri < PRIO_MIN) ? PRIO_MIN : (pri > PRIO_MAX) ? PRIO_MAX : pri;
+    if (setpriority(PRIO_PROCESS, 0, pri) != 0)
+      syslog(LOG_WARNING, "setpriority '%s': %m", pwd->pw_name);
+  }
+
+  /*
+   * Set resources
+   */
+  if (flags & LOGIN_SETRESOURCES)
+    setclassresources(lc);
+
+  /*
+   * Set the sessions login
+   */
+  if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
+    syslog(LOG_ERR, "setlogin '%s': %m", pwd->pw_name);
+    login_close(llc);
+    return -1;	/* You can't be too paranoid */
+  }
+
+  /*
+   * Setup the user's group permissions
+   */
+  if (flags & LOGIN_SETGROUP) {
+    /* XXX is it really a good idea to let errors here go? */
+    if (setgid(pwd->pw_gid) != 0)
+      syslog(LOG_WARNING, "setgid %ld: %m", (long)pwd->pw_gid);
+    if (initgroups(pwd->pw_name, pwd->pw_gid) == -1)
+      syslog(LOG_WARNING, "initgroups '%s': %m", pwd->pw_name);
+  }
+
+  /*
+   * This needs to be done after all of the above.
+   */
+  if ((flags & LOGIN_SETUSER) && setuid(uid) != 0) {
+    syslog(LOG_ERR, "setuid %ld: %m", uid);
+    login_close(llc);
+    return -1;	/* Paranoia again */
+  }
+
+  /*
+   * FreeBSD extension: here we (might) loop and do this twice.
+   * First, for the class we have been given, and next for
+   * any user overrides in ~/.login.conf the user's home directory.
+   */
+  if (flags & LOGIN_SETUMASK)
+    umask(LOGIN_DEFUMASK);    /* Set default umask up front */
+
+  i = 0;
+  while (i < 2 && lc != NULL) {
+
+    if (flags & LOGIN_SETUMASK) {
+      rlim_t tmp = login_getcapnum(lc, "umask", RLIM_INFINITY, RLIM_INFINITY);
+      if (tmp != RLIM_INFINITY)
+	umask((mode_t)tmp);
+    }
+
+    if (flags & LOGIN_SETPATH)
+      setclassenvironment(lc, pwd, 1);
+
+    if (flags & LOGIN_SETENV)
+      setclassenvironment(lc, pwd, 0);
+
+    if (i++ == 0) /* Play it again, Sam */
+      lc = (pwd == NULL) ? NULL : login_getuserclass(pwd);
+  }
+
+  login_close(lc);  /* User's private 'me' class */
+  login_close(llc); /* Class we opened */
+
+  return 0;
+}
+
diff --git a/lib/libutil/login_ok.3 b/lib/libutil/login_ok.3
new file mode 100644
index 0000000..c459d94
--- /dev/null
+++ b/lib/libutil/login_ok.3
@@ -0,0 +1,109 @@
+.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, is permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice immediately at the beginning of the file, without modification,
+.\"    this list of conditions, and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
+.\"    is permitted provided this notation is included.
+.\" 4. Absolutely no warranty of function or purpose is made by the author
+.\"    David Nugent.
+.\" 5. Modifications may be freely made to this file providing the above
+.\"    conditions are met.
+.\"
+.\" $Id$
+.\"
+.Dd January 2, 1997
+.Os FreeBSD
+.Dt LOGIN_OK 3
+.Sh NAME
+.Nm auth_ttyok
+.Nm auth_hostok
+.Nm auth_timeok
+.Nd Functions for checking login class based login restrictions
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <time.h>
+.Fd #include <login_cap.h>
+.Ft int
+.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
+.Ft int
+.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip"
+.Ft int
+.Fn auth_timeok "login_cap_t *lc" "time_t t"
+.Sh DESCRIPTION
+This set of functions checks to see if login is allowed based on login
+class capability entries in the login database,
+.Xr login.conf 5 .
+.Pp
+.Fn auth_ttyok
+checks to see if the named tty is available to users of a specific
+class, and is either in the "ttys.allow" access list, and not in
+the "ttys.deny" access list.
+An empty "ttys.allowed" list (or if no such capability exists for
+the give login class) logins via any tty device are allowed unless
+the "ttys.deny" list exists and is non-empty, and the device or its
+tty group (see
+.Xr ttys 5 )
+is not in the list.
+Access to ttys may be allowed or restricted specifically by tty device
+name, a device name which includes a wildcard (e.g. ttyD* or cuaD*),
+or may name a ttygroup, when group=<name> tags have been assigned in
+.Pa /etc/ttys .
+Matching of ttys and ttygroups is case sensitive.
+Passing a NULL or empty string as the
+.Ar tty
+parameter causes the function to return a non-zero value.
+.Pp
+.Fn auth_hostok
+checks for any host restrictions for remote logins.
+The function checks on both a host name and IP address (given in its
+text form, typically n.n.n.n) against the "host.allow" and "host.deny"
+login class capabilities.
+As with ttys and their groups, wildcards and character classes may be
+used in the host allow and deny capability records.
+The
+.Xr fnmatch 3
+function is used for matching, and the matching on hostnames is case
+insensitive.
+Note that this function expects that the hostname is fully expanded
+(i.e. the local domain name added if necessary) and the IP address
+is in its canonical form.
+No hostname or address lookups are attempted.
+.Pp
+It is possible to call this function with either the hostname or
+the IP address missing (i.e. NULL) and matching will be performed
+only on the basis of the parameter given.
+Passing NULL or empty strings in both parameters will result in
+a non-zero return value.
+.Pp
+The
+.Fn auth_timeok
+function checks to see that a given time value is within the
+"times.allow" login class capability and not within the
+"times.deny" access lists.
+An empty or non-existent "times.allow" list allows access at any
+time, except if a given time is falls within a period in the
+"times.deny" list.
+The format of time period records contained in both "times.allow"
+and "times.deny" capability fields is explained in detail in the
+.Xr login_times 3
+manual page.
+.Sh RETURN VALUES
+A non-zero return value from any of these functions indicates that
+login access is granted.
+A zero return value means either that the item being tested is not
+in the "allow" access list, or is within the "deny" access list.
+.Sh SEE ALSO
+.Xr login.conf 5 ,
+.Xr login_cap 3 ,
+.Xr login_class 3 ,
+.Xr login_times 3 ,
+.Xr termcap 5 ,
+.Xr getcap 3 
diff --git a/lib/libutil/login_ok.c b/lib/libutil/login_ok.c
new file mode 100644
index 0000000..cf778da
--- /dev/null
+++ b/lib/libutil/login_ok.c
@@ -0,0 +1,242 @@
+/*-
+ * Copyright (c) 1996 by
+ * David Nugent <davidn@blaze.net.au>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, is permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice immediately at the beginning of the file, without modification,
+ *    this list of conditions, and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. This work was done expressly for inclusion into FreeBSD.  Other use
+ *    is permitted provided this notation is included.
+ * 4. Absolutely no warranty of function or purpose is made by the authors.
+ * 5. Modifications may be freely made to this file providing the above
+ *    conditions are met.
+ *
+ * Support allow/deny lists in login class capabilities
+ *
+ *	$Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <ttyent.h>
+#include <fnmatch.h>
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/param.h>
+#include <login_cap.h>
+
+
+/* -- support functions -- */
+
+/* login_strinlist()
+ * This function is intentionally public - reused by TAS.
+ * Returns TRUE (non-zero) if a string matches a pattern
+ * in a given array of patterns. 'flags' is passed directly
+ * to fnmatch(3).
+ */
+
+int
+login_strinlist(char **list, char const *str, int flags)
+{
+  int rc = 0;
+
+  if (str != NULL && *str != '\0')
+  {
+    int i = 0;
+    while (rc == 0 && list[i] != NULL)
+      rc = fnmatch(list[i], str, flags) == 0;
+  }
+  return rc;
+}
+
+
+/* login_str2inlist()
+ * Locate either or two strings in a given list
+ */
+
+int
+login_str2inlist(char **ttlst, const char *str1, const char *str2, int flags)
+{
+  int rc = 0;
+
+  if (login_strinlist(ttlst, str1, flags))
+    rc = 1;
+  else if (login_strinlist(ttlst, str2, flags))
+    rc = 1;
+  return rc;
+}
+
+
+/* login_timelist()
+ * This function is intentinoally public - reused by TAS.
+ * Returns an allocated list of time periods given an array
+ * of time periods in ascii form.
+ */
+
+login_time_t *
+login_timelist(login_cap_t *lc, char const *cap, int *ltno, login_time_t **ltptr)
+{
+  int j = 0;
+  struct login_time * lt = NULL;
+  char **tl = login_getcaplist(lc, cap, NULL);
+
+  if (tl)
+  {
+    while (tl[j++] != NULL)
+      ;
+    if (*ltno >= j)
+      lt = *ltptr;
+    else if ((lt = realloc(*ltptr, j)) != NULL)
+    {
+      *ltno = j;
+      *ltptr = lt;
+    }
+    if (lt != NULL)
+    {
+      int i = 0;
+      --j;
+      while (i < j)
+      {
+	lt[i] = parse_lt(tl[i]);
+	++i;
+      }
+      lt[i].lt_dow = LTM_NONE;
+    }
+  }
+  return lt;
+}
+
+
+/* login_ttyok()
+ * This function is a variation of auth_ttyok(), but it checks two
+ * arbitrary capability lists not necessarily related to access.
+ * This hook is provided for the accounted/exclude accounting lists.
+ */
+
+int
+login_ttyok(login_cap_t *lc, const char *tty, const char *allowcap, const char *denycap)
+{
+  int rc = 1;
+
+  if (lc != NULL && tty != NULL && *tty != '\0')
+  {
+    struct ttyent * te = getttynam(tty);  /* Need group name */
+    char * grp = te ? te->ty_group : NULL;
+    char **ttl = login_getcaplist(lc, allowcap, NULL);
+
+    if (ttl != NULL && !login_str2inlist(ttl, tty, grp, 0))
+      rc = 0;	/* tty or ttygroup not in allow list */
+    else
+    {
+      ttl = login_getcaplist(lc, denycap, NULL);
+      if (ttl != NULL && login_str2inlist(ttl, tty, grp, 0))
+	rc = 0; /* tty or ttygroup in deny list */
+    }
+  }
+  return rc;
+}
+
+
+/* auth_ttyok()
+ * Determine whether or not login on a tty is accessible for
+ * a login class
+ */
+
+int
+auth_ttyok(login_cap_t *lc, const char * tty)
+{
+  return login_ttyok(lc, tty, "ttys.allow", "ttys.deny");
+}
+
+
+/* login_hostok()
+ * This function is a variation of auth_hostok(), but it checks two
+ * arbitrary capability lists not necessarily related to access.
+ * This hook is provided for the accounted/exclude accounting lists.
+ */
+
+int
+login_hostok(login_cap_t *lc, const char *host, const char *ip, const char *allowcap, const char *denycap)
+{
+  int rc = 1; /* Default is ok */
+
+  if (lc != NULL && ((host != NULL && *host != '\0') || (ip != NULL && *ip != '\0')))
+  {
+    char **hl = login_getcaplist(lc, allowcap, NULL);
+
+    if (hl != NULL && !login_str2inlist(hl, host, ip, FNM_CASEFOLD))
+      rc = 0;	/* host or IP not in allow list */
+    else
+    {
+      hl = login_getcaplist(lc, "host.deny", NULL);
+      if (hl != NULL && login_str2inlist(hl, host, ip, FNM_CASEFOLD))
+	rc = 0; /* host or IP in deny list */
+    }
+  }
+  return rc;
+}
+
+
+/* auth_hostok()
+ * Determine whether or not login from a host is ok
+ */
+
+int
+auth_hostok(login_cap_t *lc, const char *host, const char *ip)
+{
+  return login_hostok(lc, host, ip, "host.allow", "host.deny");
+}
+
+
+/* auth_timeok()
+ * Determine whether or not login is ok at a given time
+ */
+
+int
+auth_timeok(login_cap_t *lc, time_t t)
+{
+  int rc = 1; /* Default is ok */
+
+  if (lc != NULL && t != (time_t)0 && t != (time_t)-1)
+  {
+    struct tm * tptr = localtime(&t);
+
+    static int ltimesno = 0;
+    static struct login_time * ltimes = NULL;
+
+    if (tptr != NULL)
+    {
+      struct login_time *lt = login_timelist(lc, "times.allow", &ltimesno, &ltimes);
+
+      if (lt != NULL && in_ltms(lt, tptr, NULL) == -1)
+	rc = 0;	  /* not in allowed times list */
+      else
+      {
+	lt = login_timelist(lc, "times.deny", &ltimesno, &ltimes);
+
+	if (lt != NULL && in_ltms(lt, tptr, NULL) != -1)
+	  rc = 0; /* in deny times list */
+      }
+      if (ltimes)
+      {
+	free(ltimes);
+	ltimes = NULL;
+	ltimesno = 0;
+      }
+    }
+  }
+  return rc;
+}
+
diff --git a/lib/libutil/login_times.3 b/lib/libutil/login_times.3
new file mode 100644
index 0000000..d8e1156
--- /dev/null
+++ b/lib/libutil/login_times.3
@@ -0,0 +1,155 @@
+.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, is permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice immediately at the beginning of the file, without modification,
+.\"    this list of conditions, and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
+.\"    is permitted provided this notation is included.
+.\" 4. Absolutely no warranty of function or purpose is made by the author
+.\"    David Nugent.
+.\" 5. Modifications may be freely made to this file providing the above
+.\"    conditions are met.
+.\"
+.\" $Id$
+.\"
+.Dd January 2, 1997
+.Os FreeBSD
+.Dt LOGIN_TIMES 3
+.Sh NAME
+.Nm parse_lt
+.Nm in_ltm
+.Nm in_ltms
+.Nd Functions for parsing and checking login time periods
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <time.h>
+.Fd #include <login_cap.h>
+.Ft login_time_t
+.Fn parse_lt "const char *str"
+.Ft int
+.Fn in_ltm "const login_time_t *lt" "struct tm *t" "time_t *ends"
+.Ft int
+.Fn in_ltms "const login_time_t *lt" "struct tm *t" "time_t *ends"
+.Sh DESCRIPTION
+This set of functions may be used for parsing and checking login and
+session times against a predefined list of allowed login times as
+used in
+.Xr login.conf 5 .
+.Pp
+The format of allowed and disallowed session times specified in the
+.Ar times.allow
+and
+.Ar times.deny
+capability fields in a login class are comprised of a prefix which
+specifies one or more 2- or 3-character day codes, followed by
+a start and end time in 24 hour format separated by a hyphen.
+Day codes may be concatenated together to select specific days, or
+the special mnemonics "Any" and "All" (for any/all days of the week),
+"Wk" for any day of the week (excluding Saturdays and Sundays) and
+"Wd" for any weekend day may be used.
+.Pp
+For example, the following time period:
+.Dl MoThFrSa1400-2200
+is interpreted as Monday, Thursday through Saturday between the hours
+of 2pm and 10pm.
+.Dl Wd0600-1800
+means Saturday and Sunday, between the hours of 6am through 6pm, and
+.Dl Any0400-1600
+means any day of the week, between 4am and 4pm.
+.Pp
+Note that all time periods reference system local time.
+.Pp
+The
+.Fn parse_lt
+function converts the ascii representation of a time period into
+a structure of type
+.Ft login_time_t .
+This is defined as:
+.Bd -literal
+typedef struct login_time
+{
+  u_short	lt_start;   /* Start time */
+  u_short	lt_end;	    /* End time */
+  u_char	lt_dow;	    /* Days of week */
+} login_time_t;
+.Ed
+.Pp
+The
+.Ar lt_start
+and
+.Ar lt_end
+fields contain the number of minutes past midnight at which the
+described period begins and ends.
+The
+.Ar lt_dow
+field is a bit field, containing one bit for each day of the week
+and one bit unused.
+A series
+.Em LTM_*
+macros may be used for testing bits individually and in combination.
+If no bits are set in this field - ie. it contains the value
+.Em LTM_NONE -
+then the entire period is assumed invalid.
+This is used as a convention to mark the termination of an array
+of login_time_t values.
+If
+.Fn parse_lt
+returns a
+.Ar login_time_t
+with
+.Ar lt_dow
+equal to
+.Em LTM_NONE
+then a parsing error was encountered.
+.Pp
+The remaining functions provide the ability to test a given time_t or
+struct tm value against a specific time period or array of time
+periods.
+.Fn in_ltm
+determines whether the given time described by the struct tm
+passed as the second parameter falls within the period described
+by the first parameter.
+A boolean value is returned, indicating whether or not the time
+specified falls within the period.
+If the time does fall within the time period, and the third
+parameter to the function is not NULL, the time at which the
+period ends relative to the time passed is returned.
+.Pp
+The
+.Fn in_ltms 
+function is similar to
+.Fn in_ltm
+except that the first parameter must be a pointer to an array
+of login_time_t objects, which is up to LC_MAXTIMES (64)
+elements in length, and terminated by an element with its
+.Ar lt_dow
+field set to
+.Em LTM_NONE.
+.Sh RETURN VALUES
+.Fn parse_lt
+returns a filled in structure of type login_time_t containing the
+parsed time period.
+If a parsing error occurs, the lt_dow field is set to
+.Em LTM_NONE
+(i.e. 0).
+.Pp
+.Fn in_ltm
+returns non-zero if the given time falls within the period described
+by the login_time_t passed as the first parameter.
+.Pp
+.Fn in_ltms
+returns the index of the first time period found in which the given
+time falls, or -1 if none of them apply.
+.Sh SEE ALSO
+.Xr login.conf 5 ,
+.Xr login_cap 3 ,
+.Xr login_class 3 ,
+.Xr termcap 5 ,
+.Xr getcap 3 
diff --git a/lib/libutil/login_times.c b/lib/libutil/login_times.c
new file mode 100644
index 0000000..098200e
--- /dev/null
+++ b/lib/libutil/login_times.c
@@ -0,0 +1,166 @@
+/*-
+ * Copyright (c) 1996 by
+ * David Nugent <davidn@blaze.net.au>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, is permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice immediately at the beginning of the file, without modification,
+ *    this list of conditions, and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. This work was done expressly for inclusion into FreeBSD.  Other use
+ *    is permitted provided this notation is included.
+ * 4. Absolutely no warranty of function or purpose is made by the authors.
+ * 5. Modifications may be freely made to this file providing the above
+ *    conditions are met.
+ *
+ * Login period parsing and comparison functions.
+ *
+ *	$Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+
+#include <login_cap.h>
+
+static struct
+{
+  const char * dw;
+  u_char       cn;
+  u_char       fl;
+} dws[] =
+{
+  { "su", 2, LTM_SUN }, { "mo", 2, LTM_MON }, { "tu", 2, LTM_TUE },
+  { "we", 2, LTM_WED }, { "th", 2, LTM_THU }, { "fr", 2, LTM_FRI },
+  { "sa", 2, LTM_SAT }, { "any",3, LTM_ANY }, { "all",3, LTM_ANY }, 
+  { "wk", 2, LTM_WK  }, { "wd", 2, LTM_WD  }, { NULL, 0, 0       }
+};
+
+static char *
+parse_time(char * ptr, u_short * t)
+{
+  u_short val;
+
+  for (val = 0; *ptr && isdigit(*ptr); ptr++)
+    val = (u_short)(val * 10 + (*ptr - '0'));
+
+  *t = (u_short)((val / 100) * 60 + (val % 100));
+  return ptr;
+}
+
+login_time_t
+parse_lt(const char * str)
+{
+  login_time_t t;
+
+  memset(&t, 0, sizeof t);
+  t.lt_dow = LTM_NONE;
+  if (str && *str && strcmp(str, "Never") != 0 && strcmp(str, "None") != 0)
+  {
+    int i;
+    login_time_t m = t;
+    char * p;
+    char buf[64];
+
+    /* Make local copy and force lowercase to simplify parsing
+     */
+    p = strncpy(buf, str, sizeof buf);
+    buf[sizeof buf - 1] = '\0';
+    for (i = 0; buf[i]; i++)
+      buf[i] = (char)tolower(buf[i]);
+
+    while (isalpha(*p))
+    {
+      for (i = 0; dws[i].dw && strncmp(p, dws[i].dw, dws[i].cn) != 0 ; i++)
+	;
+      if (dws[i].dw == NULL)
+	break;
+      m.lt_dow |= dws[i].fl;
+      p += dws[i].cn;
+    }
+
+    if (m.lt_dow == LTM_NONE) /* No (valid) prefix, assume any */
+      m.lt_dow |= LTM_ANY;
+
+    if (isdigit(*p))
+      p = parse_time(p, &m.lt_start);
+    else
+      m.lt_start = 0;
+    if (*p == '-')
+      p = parse_time(++p, &m.lt_end);
+    else
+      m.lt_end = 1440;
+
+    t = m;
+  }
+  return t;
+}
+
+
+int
+in_ltm(const login_time_t * ltm, struct tm * tt, time_t * ends)
+{
+  int rc = 0;
+
+  if (tt != NULL)
+  {
+    /* First, examine the day of the week
+     */
+    if ((u_char)(0x01 << tt->tm_wday) & ltm->lt_dow)
+    {
+      /* Convert `current' time to minute of the day
+       */
+      u_short now = (u_short)((tt->tm_hour * 60) + tt->tm_min);
+      if (tt->tm_sec > 30)
+	++now;
+      if (now >= ltm->lt_start && now < ltm->lt_end)
+      {
+	rc = 2;
+	if (ends != NULL)
+	{
+	  /* If requested, return ending time for this period
+	   */
+	  tt->tm_hour = (int)(ltm->lt_end / 60);
+	  tt->tm_min  = (int)(ltm->lt_end % 60);
+	  *ends = mktime(tt);
+	}
+      }
+    }
+  }
+  return rc;
+}
+
+int
+in_lt(const login_time_t * ltm, time_t * t)
+{
+  return in_ltm(ltm, localtime(t), t);
+}
+
+int
+in_ltms(const login_time_t * ltm, struct tm * tm, time_t * t)
+{
+  int i = 0;
+
+  while (i < LC_MAXTIMES && ltm[i].lt_dow != LTM_NONE)
+  {
+    if (in_ltm(ltm + i, tm, t))
+      return i;
+    i++;
+  }
+  return -1;
+}
+
+int
+in_lts(const login_time_t * ltm, time_t * t)
+{
+  return in_ltms(ltm, localtime(t), t);
+}
+