From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] pam: thoughts on modernizing pam_limits configuration that Gentoo ships with
Date: Mon, 12 Dec 2022 05:52:20 +0000 [thread overview]
Message-ID: <robbat2-20221212T054126-100190800Z@orbis-terrarum.net> (raw)
In-Reply-To: <8e75c01a-e798-d822-312d-cb21b6d70d45@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 1548 bytes --]
Please do file a bug tracking this proposal, and reference the
discussion thread.
On Sun, Dec 11, 2022 at 09:28:14AM +0100, Piotr Karbowski wrote:
> What I'd like to do is to bump the limits.conf we ship with pam to
> following
>
> * hard nproc 16384
> * soft nproc 16384
> * hard nofile 16384
> * soft nofile 16384
>
> Those are still reasonable defaults that are much more suitable the
> modern systems. I can only see benefits in it and am unable to think
> about the potential drawbacks of bumping *defaults*.
Drawbacks:
- The "*" would apply it to all users on a system, not just the
interactive ones, and reduce overall security posture.
- Does this also need a sysctl change for raising fs.file-max?
With those in mind, how can we deploy these defaults for interactive
users, while still trying to maintain the good security posture overall?
- Is using "@users" instead of "*" good enough? (I think yes)
- Should it be limited to shiny logins on X or should it also take
effect via remote logins? (conceptually yes, but I don't see a way to
do it today within the scope of only pam_limits**)
** The closest other solution I can find is using a distinct limits.conf
for interactive logins, selected via pam.d trickery, and I don't like
that proposal.
--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]
next prev parent reply other threads:[~2022-12-12 5:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-11 8:28 [gentoo-dev] pam: thoughts on modernizing pam_limits configuration that Gentoo ships with Piotr Karbowski
2022-12-11 12:46 ` Sam James
2022-12-11 15:38 ` Piotr Karbowski
2022-12-12 5:52 ` Robin H. Johnson [this message]
2022-12-12 21:55 ` Piotr Karbowski
2022-12-12 22:06 ` Sam James
2022-12-12 22:26 ` Piotr Karbowski
2022-12-12 22:53 ` Sam James
2022-12-13 3:24 ` John Helmert III
2022-12-13 5:18 ` Joonas Niilola
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=robbat2-20221212T054126-100190800Z@orbis-terrarum.net \
--to=robbat2@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox