Feature request: module [pam_limits]

Cedric Bhihe cedric.bhihe at gmail.com
Sat Feb 27 20:18:19 UTC 2016

Lately I've been exploring how to harden an Ubuntu OS against possible 
external attacks.
I am still at the level of basic recipes, but I noticed one tiny thing, 
that I consider unwieldy...

Looking at "limits" for users on a system, I noticed that to configure 
the pam_limits module |/etc/security/limits.conf|, one can arrange for 
something as simple as:

|#<domain> <type> <item> <value> * soft nproc 300 * hard nproc 600 |

where the domain wild-card applies to all non-root users.

But what happens when one tries to enforce limits to all non-root user 
but one, say userX (non-root) ?
Right now, one might simply write something such as:

|#<domain> <type> <item> <value> * soft nproc 300 * hard nproc 600 userX 
- nproc 1500 |

... explicitly adding specific different limits for that specific userX.

My *_feature request_* is to introduce a GNU syntax extension to the 
POSIX syntax, where NEGATING user-id (e.g. !userX or ^userX) or group-id 
(e.g. !@groupY or ^@groupY) would be a valid domain entry. For instance:

|#<domain> <type> <item> <value> !userX soft nproc 300|
|!userX hard nproc 600 ^@groupY - fsize 4500000 # File-size limit applies 
to all groups but groupY |

would mean
    -  `nproc` soft and hard limits apply to all non-root users, to the 
exception of userX
    -  `fsize` soft and hard limits apply to all groups, but groupY

In the above case userX's  `nproc` limit and groupY's `fsize` limit 
would be the system's default unless otherwise explicitly defined.
The same extended syntax suggestion can apply to ranges of UIDs and GIDs.

Hope this gets followed. Cheers,     -ced

More information about the Ubuntu-devel-discuss mailing list