Please do file a bug tracking this proposal, and reference the discussion thread.
On Sun, Dec 11, 2022 at 09:28:14AM +0100, Piotr Karbowski wrote: > What I'd like to do is to bump the limits.conf we ship with pam to > following > > * hard nproc 16384 > * soft nproc 16384 > * hard nofile 16384 > * soft nofile 16384 > > Those are still reasonable defaults that are much more suitable the > modern systems. I can only see benefits in it and am unable to think > about the potential drawbacks of bumping *defaults*. Drawbacks: - The "*" would apply it to all users on a system, not just the interactive ones, and reduce overall security posture. - Does this also need a sysctl change for raising fs.file-max? With those in mind, how can we deploy these defaults for interactive users, while still trying to maintain the good security posture overall? - Is using "@users" instead of "*" good enough? (I think yes) - Should it be limited to shiny logins on X or should it also take effect via remote logins? (conceptually yes, but I don't see a way to do it today within the scope of only pam_limits**) ** The closest other solution I can find is using a distinct limits.conf for interactive logins, selected via pam.d trickery, and I don't like that proposal. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: PGP signature