Security Handbook/User and group limitations

This section is about controlling the system's resource usage.

/etc/security/limits.conf
Controlling resource usage can be very effective when trying to prevent a local Denial of Service or restricting the maximum allowed logins for a group or user. However, too strict settings will impede on your system's behavior and will result in program failures so make sure that you check each setting first.

If you find yourself trying to set nproc or maxlogins to, maybe you should delete the user instead. The example above sets the group dev settings for processes, core file and maxlogins. The rest is set to a default value.

/etc/limits
is very similar to the limit file. The only difference is the format and that it only works on users or wild cards (not groups). Let's have a look at a sample configuration:

Here we set the default settings and a specific setting for the user kn. Limits are part of the package. It is not necessary to set any limits in this file if you have enabled pam in.

Quotas
Putting quotas on a file system restricts disk usage on a per-user or per-group basis. Quotas are enabled in the kernel and added to a mount point in. The kernel option is enabled in the kernel configuration under Apply the following settings, rebuild the kernel and reboot using the new kernel.

Start by installing quotas with. Then modify your and add   and   to the partitions that you want to restrict disk usage on, like in the example below:

On every partition that you have enabled quotas, create the quota files (aquota.user and aquota.group) and place them in the root of the partition:

This step has to be done on every partition where quotas are enabled. After adding and configuring the quota files, we need to add the quota script to the boot run level.

Add quota to the boot runlevel:

We will now configure the system to check the quotas once a week by adding the following line to /etc/crontab:

After rebooting the machine, it is time to setup the quotas for users and groups. will start the editor defined in $EDITOR (default is ) and let you edit the quotas of the user kn. will do the same thing for groups.

For more detail read or the Quota mini howto.

/etc/login.defs
If your security policy states that users should change their password every other week, change the value of PASS_MAX_DAYS to  and PASS_WARN_AGE to. It is recommended that you use password aging since brute force methods can find any password, given enough time. We also encourage you to set LOG_OK_LOGINS to.

/etc/security/access.conf
The access.conf file is also part of the package, which provides a login access control table. This table is used to control who can and cannot login based on user name, group name or host name. By default, all users on the system are allowed to login, so the file consists only of comments and examples. Whether you are securing your server or workstation, we recommend that you setup this file so no one other than yourself (the admin) has access to the console.

This will setup login access so members of the wheel group can login locally or from the gentoo.org domain. Maybe too paranoid, but better to be safe than sorry.