Feature request: module [pam_limits]
Cedric Bhihe
cedric.bhihe at gmail.com
Sat Feb 27 20:18:19 UTC 2016
Lately I've been exploring how to harden an Ubuntu OS against possible
external attacks.
I am still at the level of basic recipes, but I noticed one tiny thing,
that I consider unwieldy...
Looking at "limits" for users on a system, I noticed that to configure
the pam_limits module |/etc/security/limits.conf|, one can arrange for
something as simple as:
|#<domain> <type> <item> <value> * soft nproc 300 * hard nproc 600 |
where the domain wild-card applies to all non-root users.
But what happens when one tries to enforce limits to all non-root user
but one, say userX (non-root) ?
Right now, one might simply write something such as:
|#<domain> <type> <item> <value> * soft nproc 300 * hard nproc 600 userX
- nproc 1500 |
... explicitly adding specific different limits for that specific userX.
My *_feature request_* is to introduce a GNU syntax extension to the
POSIX syntax, where NEGATING user-id (e.g. !userX or ^userX) or group-id
(e.g. !@groupY or ^@groupY) would be a valid domain entry. For instance:
|#<domain> <type> <item> <value> !userX soft nproc 300|
|!userX hard nproc 600 ^@groupY - fsize 4500000 # File-size limit applies
to all groups but groupY |
would mean
- `nproc` soft and hard limits apply to all non-root users, to the
exception of userX
- `fsize` soft and hard limits apply to all groups, but groupY
In the above case userX's `nproc` limit and groupY's `fsize` limit
would be the system's default unless otherwise explicitly defined.
The same extended syntax suggestion can apply to ranges of UIDs and GIDs.
Hope this gets followed. Cheers, -ced
More information about the Ubuntu-devel-discuss
mailing list