Security Handbook/User and group limitations

This section Article description::provides detail on controlling the system's resource usage. == User and group limitations ==

/etc/security/limits.conf
Controlling resource usage can be very effective when trying to prevent a local Denial of Service (DoS) or restricting the maximum allowed logins for a group or user. However, settings that are too strict will impede the system's behavior, so make sure each setting is sanity checked before implemented.

Considering removing a user before setting nproc or maxlogins to. The example above sets the group dev settings for processes, core file and maxlogins. The rest is set to a default value.

/etc/limits
is very similar to the limit file found at. The difference between the files is the format and that it only works on users or wild cards (not groups). Let's have a look at a sample configuration:

Here we set the default settings and a specific setting for the user kn. Limits are part of the package. It is not necessary to set any limits in this file if the  USE flag has been enabled in.

Quotas
Putting quotas on a file system restricts disk usage on a per-user or per-group basis. Quotas are enabled in the kernel and added to a mount point in. The kernel option is enabled in the kernel configuration under Apply the following settings, rebuild the kernel and reboot using the new kernel.

Start by installing quotas with. Then modify and add   and   to the partitions to be restricted, like in the example below:

On every partition that have quotas enabled, create the quota files ( and ) and place them in the root of the partition:

This step has to be done on every partition where quotas are enabled.

On OpenRC systems, after adding and configuring the quota files, be sure to add the quota script to the boot run level.

Add quota to the boot runlevel:

Quotas can be checked once a week by adding the following line to :

After rebooting, it is time to setup the quotas for users and groups. will start the editor defined in EDITOR environment variable (default is ) and allow editing quotas of the user kn. will do the same thing for groups.

For more detail read or the Quota mini howto.

/etc/login.defs
If your security policy states that users should change their password every other week, change the value of PASS_MAX_DAYS variable to  and PASS_WARN_AGE variable to. It is recommended password aging be implemented since brute force methods can find any password, given enough time. Sysadmins are also encouraged to set LOG_OK_LOGINS variable to.

/etc/security/access.conf
The file is also part of the  package, which provides a login access control table. This table is used to control who can and cannot login based on user name, group name or host name. By default, all users on the system are allowed to login, so the file consists only of comments and examples. Whether securing a server or workstation, we recommend this file be secured so no one other the sysadmin has access to the console.

This will setup login access so members of the wheel group can login locally or from the gentoo.org domain. Maybe too paranoid, but better to be safe than sorry.