1 |
Please do file a bug tracking this proposal, and reference the |
2 |
discussion thread. |
3 |
|
4 |
On Sun, Dec 11, 2022 at 09:28:14AM +0100, Piotr Karbowski wrote: |
5 |
> What I'd like to do is to bump the limits.conf we ship with pam to |
6 |
> following |
7 |
> |
8 |
> * hard nproc 16384 |
9 |
> * soft nproc 16384 |
10 |
> * hard nofile 16384 |
11 |
> * soft nofile 16384 |
12 |
> |
13 |
> Those are still reasonable defaults that are much more suitable the |
14 |
> modern systems. I can only see benefits in it and am unable to think |
15 |
> about the potential drawbacks of bumping *defaults*. |
16 |
Drawbacks: |
17 |
- The "*" would apply it to all users on a system, not just the |
18 |
interactive ones, and reduce overall security posture. |
19 |
- Does this also need a sysctl change for raising fs.file-max? |
20 |
|
21 |
With those in mind, how can we deploy these defaults for interactive |
22 |
users, while still trying to maintain the good security posture overall? |
23 |
|
24 |
- Is using "@users" instead of "*" good enough? (I think yes) |
25 |
- Should it be limited to shiny logins on X or should it also take |
26 |
effect via remote logins? (conceptually yes, but I don't see a way to |
27 |
do it today within the scope of only pam_limits**) |
28 |
|
29 |
|
30 |
** The closest other solution I can find is using a distinct limits.conf |
31 |
for interactive logins, selected via pam.d trickery, and I don't like |
32 |
that proposal. |
33 |
|
34 |
-- |
35 |
Robin Hugh Johnson |
36 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
37 |
E-Mail : robbat2@g.o |
38 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
39 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |