– General Linux 2 – Setup User Level Security [2] (Linux Professional Institute Certification) a .˜. /V\ // \\ @._.@ Slides for a talk by Pia Smith geoffrey robertson geoffrey@zip.com.au $Id: gl2.114.3.slides.tex,v 1.4 2003/08/29 14:36:14 waratah Exp $ c 2002 Geoffrey Robertson. Permission is granted to make and distribute verbatim copies or modified versions of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation—either version 2 of the License or (at your option) any later version. a Copyright 1 List of Slides 2 (2.2) 102 Installation & Package Mgt. [24] 2.114.1 Perform Security Administration Tasks [4] 2.114.2 Setup Host Security [4] 2.114.3 Setup User Level Security [2] 3 Setup User Level Security [2] Objective Candidate should be able to configure user level security. Tasks include limits on user logins, processes, and memory usage. 4 Setup User Level Security [2] Key files, terms, and utilities quota usermod 5 Setup User Level Security [2] Resources of interest TBA 6 Set and View Disk Quotas Enabling Quotas • Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 defaults,usrquota,grpquota 12 7 Set and View Disk Quotas Enabling Quotas • Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 defaults,usrquota,grpquota 12 • Create the quota.user and quota.group files: fehung:˜# touch /home/quota.user /home/quota.group fehung:˜# chmod 600 /home/quota.user /home/quota.group 7-a Set and View Disk Quotas Enabling Quotas • Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 defaults,usrquota,grpquota 12 • Create the quota.user and quota.group files: fehung:˜# touch /home/quota.user /home/quota.group fehung:˜# chmod 600 /home/quota.user /home/quota.group • Initialise the quota.* files as databases by running quotacheck: fehung:/home# quotacheck -augv Cannot get exact used space... Results might be inaccurat quotacheck: Scanning /dev/hda2 [/home] done quotacheck: Checked 143 directories and 689 files 7-b Set and View Disk Quotas Enabling Quotas ctd. . . • Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. 8 Set and View Disk Quotas Enabling Quotas ctd. . . • Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. • Run quotaon to enable the quota system: fehung:/home# quotaon -a 8-a Set and View Disk Quotas Enabling Quotas ctd. . . • Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. • Run quotaon to enable the quota system: fehung:/home# quotaon -a • There are two further things to deal with: 8-b Set and View Disk Quotas Enabling Quotas ctd. . . • Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. • Run quotaon to enable the quota system: fehung:/home# quotaon -a • There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 8-c Set and View Disk Quotas Enabling Quotas ctd. . . • Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. • Run quotaon to enable the quota system: fehung:/home# quotaon -a • There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) 8-d Set and View Disk Quotas Enabling Quotas ctd. . . • Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. • Run quotaon to enable the quota system: fehung:/home# quotaon -a • There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) • The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. 8-e Set and View Disk Quotas Initialising Quotas when booting To ensure quota is turned on upon system boot, add the following to the system’s initialisation script (/etc/rc.d/rc.sysinit or similar): if [ -x /sbin/quotacheck ]; then echo "Checking quotas." /sbin/quotacheck -auvg echo "Done." fi if [ -x /sbin/quotaon ]; then echo "Enabling quotas." /sbin/quotaon -avug fi 9 Set and View Disk Quotas Check the Quota database Regularly with cron To ensure that the databases are checked regularly, add a script to one of the crontab system directories, (such as /etc/cron.weekly/) to run quotacheck: #!/bin/bash /sbin/quotacheck -auvg or a job in crontab to achieve the same thing. 10 Set and View Disk Quotas Quota Limits There are five types of quota limits that can be enforced: • Per-user hard limit 11 Set and View Disk Quotas Quota Limits There are five types of quota limits that can be enforced: • Per-user hard limit • Per-group hard limit 11-a Set and View Disk Quotas Quota Limits There are five types of quota limits that can be enforced: • Per-user hard limit • Per-group hard limit • Per-user soft limit 11-b Set and View Disk Quotas Quota Limits There are five types of quota limits that can be enforced: • Per-user hard limit • Per-group hard limit • Per-user soft limit • Per-group soft limit 11-c Set and View Disk Quotas Quota Limits There are five types of quota limits that can be enforced: • Per-user hard limit • Per-group hard limit • Per-user soft limit • Per-group soft limit • Grace Period 11-d Set and View Disk Quotas Quota Limits—Per-user hard limit This is the absolute maximum of a users allocated space, once reached the user cannot write anything else to the filesystem, and the currently worked upon file if saved is truncated and useless. The user doesn’t lose what is in the current shell, so they can free up some space and then save the file. 12 Set and View Disk Quotas Quota Limits—Per-group hard limit This is the absolute maximum of a groups allocated space, once reached the group cannot write anything else to the filesystem, and the currently worked upon file if saved is truncated and useless. Users in the group don’t lose what is in the current shell, so they can free up some space and then save the file. 13 Set and View Disk Quotas Quota Limits—Per-user soft limit An abstract limit enforced on users that is less than the hard limit, and once reached, the user enters the grace period. After the soft limit has been reached the user starts getting warnings printed on the terminal that the quota has been exceeded. 14 Set and View Disk Quotas Quota Limits—Per-group soft limit An abstract limit enforced on groups that is less than the hard limit, and once reached, the group enters the grace period. After the soft limit has been reached the group starts getting warnings printed on the terminal that the quota has been exceeded. 15 Set and View Disk Quotas Quota Limits—Grace Period Once a soft limit has been reached the user/group enters the grace period which is an abstract time before the hard limit is enforced, regardless of whether the hard limit is reached (assuming the user doesn’t get their quota down below the soft limit in that time). 16 Set and View Disk Quotas Setting up and configuring quotas • The next move is to edit the quota reference for each user. We can get around this with scripts, but essentially this is not nice :) 17 Set and View Disk Quotas Setting up and configuring quotas • The next move is to edit the quota reference for each user. We can get around this with scripts, but essentially this is not nice :) • We can actually edit the quota of a typical user on our system and then copy the attributes of that users quota to other users, as follows: fehung:/home/greebo# edquota greebo 17-a Set and View Disk Quotas Setting up and configuring quotas • The next move is to edit the quota reference for each user. We can get around this with scripts, but essentially this is not nice :) • We can actually edit the quota of a typical user on our system and then copy the attributes of that users quota to other users, as follows: fehung:/home/greebo# edquota greebo • This edits the quota for user greebo, in this file we change the soft and hard limits to whatever we choose, example: Disk quotas for user greebo (uid 1000): Filesystem blocks soft hard inodes /dev/hda2 538 29000 30000 689 17-b soft 0 hard 0 Set and View Disk Quotas Configuring Quotas • The first soft and hard values are relevant to blocks and the second to inodes, here the user has a block soft and hard limit but no inode limit . 18 Set and View Disk Quotas Configuring Quotas • The first soft and hard values are relevant to blocks and the second to inodes, here the user has a block soft and hard limit but no inode limit . • We can then attribute these settings to the rest of the users thus: fehung:/home/greebo# edquota -p greebo $(awk -F: ’$3 > \ 999 { print $1 }’ /etc/passwd) and can confirm this worked by running # edquota ← to see whether the new settings copied across. 18-a Set and View Disk Quotas Configuring Quotas • The first soft and hard values are relevant to blocks and the second to inodes, here the user has a block soft and hard limit but no inode limit . • We can then attribute these settings to the rest of the users thus: fehung:/home/greebo# edquota -p greebo $(awk -F: ’$3 > \ 999 { print $1 }’ /etc/passwd) and can confirm this worked by running # edquota ← to see whether the new settings copied across. • We can only modify the grace limit system wide. We do this by running # edquota -tu ← , and changing the value. 18-b Set and View Disk Quotas Quota commands: quota(1) quota is used to display quotas on users and groups, using the -u switch for users and -g switch for groups: fehung:/home# quota -uv greebo ← Disk quotas for user greebo (uid 1000): Filesystem blocks quota limit grace /dev/hda2 538 29000 30000 files 689 quota 0 limit 0 19 Set and View Disk Quotas Quota commands: quotaon(1) quotaon turns on the quota system, quotaoff turns it off. Easy! 20 Set and View Disk Quotas Quota commands: repquota(1) repquota reports on the status on quotas. Common options are as follows: -a -g -u -v Examples: # repquota -v /home ← or # repquota -a ← 21 reports reports reports verbose on all quotas on group quotas on user quotas mode