| 1 |
Hi, |
| 2 |
|
| 3 |
On 12/12/2022 06.52, Robin H. Johnson wrote: |
| 4 |
> Please do file a bug tracking this proposal, and reference the |
| 5 |
> discussion thread. |
| 6 |
> |
| 7 |
> On Sun, Dec 11, 2022 at 09:28:14AM +0100, Piotr Karbowski wrote: |
| 8 |
>> What I'd like to do is to bump the limits.conf we ship with pam to |
| 9 |
>> following |
| 10 |
>> |
| 11 |
>> * hard nproc 16384 |
| 12 |
>> * soft nproc 16384 |
| 13 |
>> * hard nofile 16384 |
| 14 |
>> * soft nofile 16384 |
| 15 |
>> |
| 16 |
>> Those are still reasonable defaults that are much more suitable the |
| 17 |
>> modern systems. I can only see benefits in it and am unable to think |
| 18 |
>> about the potential drawbacks of bumping *defaults*. |
| 19 |
> Drawbacks: |
| 20 |
> - The "*" would apply it to all users on a system, not just the |
| 21 |
> interactive ones, and reduce overall security posture. |
| 22 |
> - Does this also need a sysctl change for raising fs.file-max? |
| 23 |
> |
| 24 |
> With those in mind, how can we deploy these defaults for interactive |
| 25 |
> users, while still trying to maintain the good security posture overall? |
| 26 |
> |
| 27 |
> - Is using "@users" instead of "*" good enough? (I think yes) |
| 28 |
> - Should it be limited to shiny logins on X or should it also take |
| 29 |
> effect via remote logins? (conceptually yes, but I don't see a way to |
| 30 |
> do it today within the scope of only pam_limits**) |
| 31 |
> |
| 32 |
> |
| 33 |
> ** The closest other solution I can find is using a distinct limits.conf |
| 34 |
> for interactive logins, selected via pam.d trickery, and I don't like |
| 35 |
> that proposal. |
| 36 |
|
| 37 |
Since both you and Sam requested bug[1], so be it -- though I still find |
| 38 |
it excessive and I do not remember any other case where discussion about |
| 39 |
change in package were tracked in bug, I just hope it will not branch |
| 40 |
discussion to be in two places, navigating it would be difficult. |
| 41 |
|
| 42 |
Looks like I have some backtracking to do. I pulled off latest stage3 |
| 43 |
and seems like the limits.conf there have no entries by default, I do |
| 44 |
however have the nproc limit there on 2 old gentoo systems dating back |
| 45 |
into 2009, perhaps at some point limits.conf have it and I do not |
| 46 |
remember adding it there, so either it could be default at some point in |
| 47 |
time, or I added it and forgot, with the later being more likely. |
| 48 |
Apologies for confusion. |
| 49 |
|
| 50 |
Regardless I'd like to continue the discussion about the new Gentoo's |
| 51 |
defaults. |
| 52 |
|
| 53 |
Which makes the current defaults being inherited from kernel, though pid |
| 54 |
1 to all the children, which are |
| 55 |
|
| 56 |
For the 32bit x86: |
| 57 |
|
| 58 |
limit soft hard |
| 59 |
nproc 64095 64095 |
| 60 |
nofile 1024 4096 |
| 61 |
|
| 62 |
And for the 64bit x86 |
| 63 |
|
| 64 |
limit soft hard |
| 65 |
nproc 256819 256819 |
| 66 |
nofile 1024 4096 |
| 67 |
|
| 68 |
|
| 69 |
The fs.file-max does not need any change, on 32bit x86 it's 1636118 and |
| 70 |
on 64bit x86 it's 6574089 |
| 71 |
|
| 72 |
What I propose here is to significantly bump the limit of open files per |
| 73 |
user, and limit the number of PIDs per user to 16k. If anything, the |
| 74 |
current defaults allow you to make a DoS by forkbomb, the current |
| 75 |
defaults are neither secure nor make sense in 2022. Linux kernel is full |
| 76 |
of defaults that beg to be updated, among others, vm.swappiness makes |
| 77 |
absolute no sense in its current defaults either. |
| 78 |
|
| 79 |
As for the remote logins, local logins and X sessions -- I see no value |
| 80 |
in having different limits across those. |
| 81 |
|
| 82 |
[1] https://bugs.gentoo.org/885589 |
| 83 |
|
| 84 |
-- Piotr. |
Archives