public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] pam: thoughts on modernizing pam_limits configuration that Gentoo ships with
Date: Mon, 12 Dec 2022 05:52:20 +0000	[thread overview]
Message-ID: <robbat2-20221212T054126-100190800Z@orbis-terrarum.net> (raw)
In-Reply-To: <8e75c01a-e798-d822-312d-cb21b6d70d45@gentoo.org>

[-- Attachment #1: Type: text/plain, Size: 1548 bytes --]

Please do file a bug tracking this proposal, and reference the
discussion thread.

On Sun, Dec 11, 2022 at 09:28:14AM +0100, Piotr Karbowski wrote:
> What I'd like to do is to bump the limits.conf we ship with pam to
> following
> 
>      * hard nproc 16384
>      * soft nproc 16384
>      * hard nofile 16384
>      * soft nofile 16384
>
> Those are still reasonable defaults that are much more suitable the 
> modern systems. I can only see benefits in it and am unable to think 
> about the potential drawbacks of bumping *defaults*.
Drawbacks:
- The "*" would apply it to all users on a system, not just the
  interactive ones, and reduce overall security posture.
- Does this also need a sysctl change for raising fs.file-max?

With those in mind, how can we deploy these defaults for interactive
users, while still trying to maintain the good security posture overall?

- Is using "@users" instead of "*" good enough? (I think yes)
- Should it be limited to shiny logins on X or should it also take
  effect via remote logins? (conceptually yes, but I don't see a way to
  do it today within the scope of only pam_limits**)


** The closest other solution I can find is using a distinct limits.conf
for interactive logins, selected via pam.d trickery, and I don't like
that proposal.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

  parent reply	other threads:[~2022-12-12  5:52 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-11  8:28 [gentoo-dev] pam: thoughts on modernizing pam_limits configuration that Gentoo ships with Piotr Karbowski
2022-12-11 12:46 ` Sam James
2022-12-11 15:38   ` Piotr Karbowski
2022-12-12  5:52 ` Robin H. Johnson [this message]
2022-12-12 21:55   ` Piotr Karbowski
2022-12-12 22:06     ` Sam James
2022-12-12 22:26       ` Piotr Karbowski
2022-12-12 22:53         ` Sam James
2022-12-13  3:24         ` John Helmert III
2022-12-13  5:18         ` Joonas Niilola

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=robbat2-20221212T054126-100190800Z@orbis-terrarum.net \
    --to=robbat2@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox