[gentoo-user] pam limits

[gentoo-user] pam limits

[Daniel Iliev]

Hi, ppl

I have the habit of imposing some limitations over all users via 
/etc/security/limits.conf. For example I used to limit the number of
concurrent processes one can execute to prevent the system from simple
misuses like fork bombs by putting a limit (nproc) for group "users"
and all other common groups ("games" etc.)

Now that the behaviour of "useradd -m xyz" has changed from putting the
newuser in group "users" ("xyz:users") to putting the user in a group
with same name ("xyz:xyz") I would appreciate any advice on getting the
old behavior back or any workaround to achieve the same goal - all
users should be limited by default at creation time.


-- 
Best regards,
Daniel
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Albert Hopkins]

On Thu, 2007-10-25 at 14:35 +0300, Daniel Iliev wrote:
> Hi, ppl
> 
> I have the habit of imposing some limitations over all users via 
> /etc/security/limits.conf. For example I used to limit the number of
> concurrent processes one can execute to prevent the system from simple
> misuses like fork bombs by putting a limit (nproc) for group "users"
> and all other common groups ("games" etc.)
> 
> Now that the behaviour of "useradd -m xyz" has changed from putting the
> newuser in group "users" ("xyz:users") to putting the user in a group
> with same name ("xyz:xyz") I would appreciate any advice on getting the
> old behavior back or any workaround to achieve the same goal - all
> users should be limited by default at creation time.

Oh do they do that now?  That was that nasty Red Hat extension.
Nevertheless, override the default behavior:

# useradd -m -g users xyz



--
Albert W. Hopkins

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Etaoin Shrdlu]

On Thursday 25 October 2007, Albert Hopkins wrote:

> Oh do they do that now?  That was that nasty Red Hat extension.

While one might agree or disagree about that, IMHO the problem now is 
that the options in /etc/default/useradd are ignored. If I run 
useradd -D it shows GROUP=100, but running useradd <username> still 
creates a new group named after the user and puts the user into it.

After a little search, it seems that the USERGROUPS_ENAB directive 
in /etc/login.defs, although not explicitly mentioning this issue, is 
the culprit. Setting it to "no" restores the old behavior (putting the 
new users into group "users").

Alternatively, looking at the various patches, it seems that a new option 
exists (-n), which seems to be the default when -g is not given, that is 
not documented in the man page (to see it, "useradd --help" must be 
used). This is another case where man pages are not in sync with changes 
introduced by patches. Should a bug be opened for this?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Etaoin Shrdlu]

On Thursday 25 October 2007, Etaoin Shrdlu wrote:

> After a little search, it seems that the USERGROUPS_ENAB directive
> in /etc/login.defs, although not explicitly mentioning this issue, is
> the culprit. Setting it to "no" restores the old behavior (putting the
> new users into group "users").

Found bug #128715 about the issue, apparently "fixed" but not stating 
clearly what the correct behavior should be.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [SOLVED] pam limits

[Daniel Iliev]

On Thu, 25 Oct 2007 14:25:03 +0200
Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:

> On Thursday 25 October 2007, Albert Hopkins wrote:
> 
> > Oh do they do that now?  That was that nasty Red Hat extension.
> 
> While one might agree or disagree about that, IMHO the problem now is 
> that the options in /etc/default/useradd are ignored. If I run 
> useradd -D it shows GROUP=100, but running useradd <username> still 
> creates a new group named after the user and puts the user into it.
> 

Exactly my point! :)
You were ahead of me with this reply, but it came here after I sent my
previous message. Sorry for the noise and redundancy.


> After a little search, it seems that the USERGROUPS_ENAB directive 
> in /etc/login.defs, although not explicitly mentioning this issue, is 
> the culprit. Setting it to "no" restores the old behavior (putting
> the new users into group "users").
> 


Big thanks!

That's exactly what I needed. ;-))))




-- 
Best regards,
Daniel
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Daniel Iliev]

On Thu, 25 Oct 2007 06:45:49 -0500
Albert Hopkins <marduk@letterboxes.org> wrote:

> > 
> > Now that the behaviour of "useradd -m xyz" has changed from putting
> > the newuser in group "users" ("xyz:users") to putting the user in a
> > group with same name ("xyz:xyz") I would appreciate any advice on
> > getting the old behavior back or any workaround to achieve the same
> > goal - all users should be limited by default at creation time.
> 
> Oh do they do that now?  That was that nasty Red Hat extension.
> Nevertheless, override the default behavior:
> 
> # useradd -m -g users xyz
> 
> 
> 
> --
> Albert W. Hopkins
> 


Yes, of course, I could use "useradd -g", but I'm always forgetting it.
I was thinking for something more like...let's say a config file, where
one could put the defaults and actually use only "useradd xyz" w/o any
params. Thinking of which...there is this file /etc/default/useradd,
where I have the statement "GROUP=100" (100=users), but useradd doesn't
obey it...



-- 
Best regards,
Daniel
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Daniel Iliev]

On Thu, 25 Oct 2007 06:45:49 -0500
Albert Hopkins <marduk@letterboxes.org> wrote:

> > 
> > Now that the behaviour of "useradd -m xyz" has changed from putting
> > the newuser in group "users" ("xyz:users") to putting the user in a
> > group with same name ("xyz:xyz") I would appreciate any advice on
> > getting the old behavior back or any workaround to achieve the same
> > goal - all users should be limited by default at creation time.
> 
> Oh do they do that now?  That was that nasty Red Hat extension.
> Nevertheless, override the default behavior:
> 
> # useradd -m -g users xyz
> 
> 
> 
> --
> Albert W. Hopkins
> 



Yes, of course, I could use "useradd -g", but I'm always forgetting
about it. I was thinking for something more like...let's say a config
file, where one could put the defaults and actually use only
 "useradd xyz" w/o any params. Talking of which...there's that
file /etc/default/useradd, where I have the statement
"GROUP=100" (100=users), but useradd doesn't obey it...


-- 
Best regards,
Daniel
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Florian Philipp]

Albert Hopkins schrieb:
> On Thu, 2007-10-25 at 14:35 +0300, Daniel Iliev wrote:
>> Hi, ppl
>>
>> I have the habit of imposing some limitations over all users via 
>> /etc/security/limits.conf. For example I used to limit the number of
>> concurrent processes one can execute to prevent the system from simple
>> misuses like fork bombs by putting a limit (nproc) for group "users"
>> and all other common groups ("games" etc.)
>>
>> Now that the behaviour of "useradd -m xyz" has changed from putting the
>> newuser in group "users" ("xyz:users") to putting the user in a group
>> with same name ("xyz:xyz") I would appreciate any advice on getting the
>> old behavior back or any workaround to achieve the same goal - all
>> users should be limited by default at creation time.
> 
> Oh do they do that now?  That was that nasty Red Hat extension.
> Nevertheless, override the default behavior:
> 
> # useradd -m -g users xyz
> 
> 
> 
> --
> Albert W. Hopkins
> 

I'm wondering what's the advantage of using a special group for each
user. Doesn't it just make user administration more complicated?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Albert Hopkins]

On Fri, 2007-10-26 at 00:02 +0200, Florian Philipp wrote:
> I'm wondering what's the advantage of using a special group for each
> user. Doesn't it just make user administration more complicated?

It's explained here http://tinyurl.com/4bn9h 

Basically it aids in the sharing of files/directories between groups.
AFAIK the same thing can (and should) be done using ACLs but,
unfortunately, this isn't enabled by default on most Linux distros, thus
the Red Hat hack.

--
Albert W. Hopkins

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Etaoin Shrdlu]

On Thursday 25 October 2007, Daniel Iliev wrote:

> Now that the behaviour of "useradd -m xyz" has changed from putting
> the newuser in group "users" ("xyz:users") to putting the user in a
> group with same name ("xyz:xyz") I would appreciate any advice on
> getting the old behavior back or any workaround to achieve the same
> goal - all users should be limited by default at creation time.

Why can't you specify the "-g users" when running useradd?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Dan Farrell]

On Thu, 25 Oct 2007 13:55:45 +0200
Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:

> Why can't you specify the "-g users" when running useradd?
> -- 

guess: scripted?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Etaoin Shrdlu]

On Friday 26 October 2007, Dan Farrell wrote:

> On Thu, 25 Oct 2007 13:55:45 +0200
>
> Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> > Why can't you specify the "-g users" when running useradd?
> > --
>
> guess: scripted?

And scripts can be changed, can't they?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Dan Farrell]

On Fri, 26 Oct 2007 09:55:04 +0200
Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:

> On Friday 26 October 2007, Dan Farrell wrote:
> 
> > On Thu, 25 Oct 2007 13:55:45 +0200
> >
> > Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> > > Why can't you specify the "-g users" when running useradd?
> > > --
> >
> > guess: scripted?
> 
> And scripts can be changed, can't they?

With time.  With debugging.  And with pushing the changes out to who
knows how many hosts.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Etaoin Shrdlu]

On Friday 26 October 2007, Dan Farrell wrote:
> On Fri, 26 Oct 2007 09:55:04 +0200
>
> Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> > On Friday 26 October 2007, Dan Farrell wrote:
> > > On Thu, 25 Oct 2007 13:55:45 +0200
> > >
> > > Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> > > > Why can't you specify the "-g users" when running useradd?
> > > > --
> > >
> > > guess: scripted?
> >
> > And scripts can be changed, can't they?
>
> With time.  With debugging.  And with pushing the changes out to who
> knows how many hosts.

The same is true also for manually changing USERGROUPS_ENAB 
in /etc/login.defs in all machines (which the OP had to do anyway).
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] pam limits

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 763 bytes --]

Am Donnerstag, 25. Oktober 2007 schrieb ext Daniel Iliev:
> Now that the behaviour of "useradd -m xyz" has changed from putting the
> newuser in group "users" ("xyz:users") to putting the user in a group
> with same name ("xyz:xyz") I would appreciate any advice on getting the
> old behavior back or any workaround to achieve the same goal

Don't use useradd?
Overide the default?
Change it afterwards?

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68      | Web:  http://www.capgemini.com
D-40468 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]