Update nologin(5) to match the modern reality of login.conf(5) and PAM.

1 files changed, 44 insertions, 12 deletions

diff --git a/usr.sbin/nologin/nologin.5 b/usr.sbin/nologin/nologin.5
index 961f5a39b1ed..f8a21beb78fd 100644
--- a/usr.sbin/nologin/nologin.5
+++ b/usr.sbin/nologin/nologin.5
@@ -28,7 +28,7 @@
 .\"     @(#)nologin.8	8.1 (Berkeley) 6/19/93
 .\" $FreeBSD$
 .\"
-.Dd June 19, 1993
+.Dd May 10, 2007
 .Dt NOLOGIN 5
 .Os
 .Sh NAME
@@ -37,28 +37,60 @@
 .Sh DESCRIPTION
 Programs such as
 .Xr login 1
-disallow logins if the file
-.Pa /var/run/nologin
-exists.
-Programs display the contents of
-.Pa /var/run/nologin
-to the user and exit.
+disallow logins if the
+.Nm
+file exists.
+The programs display the contents of
+.Nm
+to the user if possible and interrupt the login sequence.
 This makes it simple to temporarily prevent incoming logins systemwide.
 .Pp
 To disable logins on a per-account basis,
 investigate
 .Xr nologin 8 .
 .Sh SECURITY
-Ignored by
-.Xr login 1
-for user root.
+The
+.Nm
+file is ignored for user root by default.
+.Sh IMPLEMENTATION NOTES
+The
+.Nm
+feature is implemented through
+.Xr login.conf 5 ,
+which allows to change the pathname of the
+file and to extend the list of users
+exempt from temporary login restriction.
+.Pp
+PAM-aware programs can be selectively configured to respect
+.Nm
+using the
+.Xr pam_nologin 8
+module via
+.Xr pam.conf 5 .
+.Pp
+The
+.Nm
+file will be removed at system boot if it resides in
+.Pa /var/run
+and
+.Va cleanvar_enable
+is set to
+.Dq Li YES
+in
+.Xr rc.conf 5 ,
+which is default.
+Therefore system reboot can effectively re-enable logins.
 .Sh FILES
 .Bl -tag -width ".Pa /var/run/nologin" -compact
 .It Pa /var/run/nologin
+default location of
+.Nm
 .El
 .Sh SEE ALSO
 .Xr login 1 ,
-.Xr rlogin 1 ,
-.Xr telnet 1 ,
+.Xr login.conf 5 ,
+.Xr pam.conf 5 ,
+.Xr rc.conf 5 ,
 .Xr nologin 8 ,
+.Xr pam_nologin 8 ,
 .Xr shutdown 8