Hi,
On 12/12/2022 06.52, Robin H. Johnson wrote:
Please do file a bug tracking this proposal, and reference the
discussion thread.
On Sun, Dec 11, 2022 at 09:28:14AM +0100, Piotr Karbowski wrote:
What I'd like to do is to bump the limits.conf we ship with pam to
following
* hard nproc 16384
* soft nproc 16384
* hard nofile 16384
* soft nofile 16384
Those are still reasonable defaults that are much more suitable the
modern systems. I can only see benefits in it and am unable to think
about the potential drawbacks of bumping *defaults*.
Drawbacks:
- The "*" would apply it to all users on a system, not just the
interactive ones, and reduce overall security posture.
- Does this also need a sysctl change for raising fs.file-max?
With those in mind, how can we deploy these defaults for interactive
users, while still trying to maintain the good security posture overall?
- Is using "@users" instead of "*" good enough? (I think yes)
- Should it be limited to shiny logins on X or should it also take
effect via remote logins? (conceptually yes, but I don't see a way to
do it today within the scope of only pam_limits**)
** The closest other solution I can find is using a distinct limits.conf
for interactive logins, selected via pam.d trickery, and I don't like
that proposal.
Since both you and Sam requested bug[1], so be it -- though I still find
it excessive and I do not remember any other case where discussion about
change in package were tracked in bug, I just hope it will not branch
discussion to be in two places, navigating it would be difficult.
Looks like I have some backtracking to do. I pulled off latest stage3
and seems like the limits.conf there have no entries by default, I do
however have the nproc limit there on 2 old gentoo systems dating back
into 2009, perhaps at some point limits.conf have it and I do not
remember adding it there, so either it could be default at some point in
time, or I added it and forgot, with the later being more likely.
Apologies for confusion.
Regardless I'd like to continue the discussion about the new Gentoo's
defaults.
Which makes the current defaults being inherited from kernel, though pid
1 to all the children, which are
For the 32bit x86:
limit soft hard
nproc 64095 64095
nofile 1024 4096
And for the 64bit x86
limit soft hard
nproc 256819 256819
nofile 1024 4096
The fs.file-max does not need any change, on 32bit x86 it's 1636118 and
on 64bit x86 it's 6574089
What I propose here is to significantly bump the limit of open files per
user, and limit the number of PIDs per user to 16k. If anything, the
current defaults allow you to make a DoS by forkbomb, the current
defaults are neither secure nor make sense in 2022. Linux kernel is full
of defaults that beg to be updated, among others, vm.swappiness makes
absolute no sense in its current defaults either.
As for the remote logins, local logins and X sessions -- I see no value
in having different limits across those.
[1] https://bugs.gentoo.org/885589
-- Piotr.
