1.114.3 Setup user level security Weight 1 Geoff Robertson 1.114.3 Setup user level security Weight 1 Linux Professional Institute Certification — 102 Context Objective Enabling Quotas Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off Geoffrey Robertson ge@ffrey.com nicku@nicku.org This document Licensed under GPL—see section 9 Nick Urbanik repquota License Of This Document 2005 July Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Topic 114 Security [8] Where we are up to 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Configuring Quotas with edquota 1.114.1 Perform security administration tasks [4] 1.114.2 Setup host security [3] 1.114.3 Setup user level security [1] Viewing quotas with quota Turning quotas on and off repquota License Of This Document Description of Objective 1.114.3 Setup user level security [1] 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Configuring Quotas with edquota Candidate should be able to configure user level security. Tasks include limits on user logins, processes, and memory usage. Viewing quotas with quota Turning quotas on and off repquota License Of This Document Key files, terms, and utilities include: 1.114.3 Setup user level security [1] 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Configuring Quotas with edquota quota — display disk usage and limits usermod — can modify expiry date of an account, and can disable an account Viewing quotas with quota Turning quotas on and off repquota License Of This Document Set and View Disk Quotas Enabling Quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 Create the quota.user and quota.group files: Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron defaults,usrquota,grpquota 12 Quota Limits Configuring Quotas with edquota fehung:~# touch /home/quota.user /home/quota.group with Viewing quotas quota fehung:~# chmod 600 /home/quota.user /home/quota.group Turning quotas on and Initialise the quota.* files as databases by running off repquota quotacheck: License Of This fehung:/home# quotacheck -augv Document Cannot get exact used space... Results might be inaccur quotacheck: Scanning /dev/hda2 [/home] done quotacheck: Checked 143 directories and 689 files Set and View Disk Quotas Enabling Quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 Create the quota.user and quota.group files: Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron defaults,usrquota,grpquota 12 Quota Limits Configuring Quotas with edquota fehung:~# touch /home/quota.user /home/quota.group with Viewing quotas quota fehung:~# chmod 600 /home/quota.user /home/quota.group Turning quotas on and Initialise the quota.* files as databases by running off repquota quotacheck: License Of This fehung:/home# quotacheck -augv Document Cannot get exact used space... Results might be inaccur quotacheck: Scanning /dev/hda2 [/home] done quotacheck: Checked 143 directories and 689 files Set and View Disk Quotas Enabling Quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 Create the quota.user and quota.group files: Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron defaults,usrquota,grpquota 12 Quota Limits Configuring Quotas with edquota fehung:~# touch /home/quota.user /home/quota.group with Viewing quotas quota fehung:~# chmod 600 /home/quota.user /home/quota.group Turning quotas on and Initialise the quota.* files as databases by running off repquota quotacheck: License Of This fehung:/home# quotacheck -augv Document Cannot get exact used space... Results might be inaccur quotacheck: Scanning /dev/hda2 [/home] done quotacheck: Checked 143 directories and 689 files Set and View Disk Quotas Enabling Quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Add the userquota and grpquota options in /etc/fstab: /dev/hda2 /home ext3 Create the quota.user and quota.group files: Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron defaults,usrquota,grpquota 12 Quota Limits Configuring Quotas with edquota fehung:~# touch /home/quota.user /home/quota.group with Viewing quotas quota fehung:~# chmod 600 /home/quota.user /home/quota.group Turning quotas on and Initialise the quota.* files as databases by running off repquota quotacheck: License Of This fehung:/home# quotacheck -augv Document Cannot get exact used space... Results might be inaccur quotacheck: Scanning /dev/hda2 [/home] done quotacheck: Checked 143 directories and 689 files Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Set and View Disk Quotas Enabling Quotas ctd. . . 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Confirm that the databases have actually been initialised by making sure that the quota.* files are larger than 0. Run quotaon to enable the quota system: fehung:/home# quotaon -a There are two further things to deal with: 1. Turn on quota is turned at boot time. (details next slide) 2. Check the data base regularly. (details next slide) Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document The filesystem (in this case /home) is now ready to accept quotas on a per user or group basis. Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Initialising Quotas when booting Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Set and View Disk Quotas Initialising Quotas when booting 1.114.3 Setup user level security Weight 1 Geoff Robertson Context To ensure quota is turned on upon system boot, add the following to the system’s initialisation script (/etc/rc.d/rc.sysinit or similar): if [ -x /sbin/quotacheck ]; then echo "Checking quotas." /sbin/quotacheck -auvg echo "Done." fi if [ -x /sbin/quotaon ]; then echo "Enabling quotas." /sbin/quotaon -avug fi Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Initialising Quotas when booting Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Set and View Disk Quotas Check the Quota database Regularly with cron 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Initialising Quotas when booting To ensure that the databases are checked regularly, add a script to one of the crontab system directories, (such as /etc/cron.weekly/) to run quotacheck: #!/bin/bash /sbin/quotacheck -auvg or a job in crontab to achieve the same thing. Check quotas regularly with cron Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits There are five types of quota limits that can be enforced: Per-user hard limit Per-group hard limit Per-user soft limit Per-group soft limit Grace Period Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits—Per-user hard limit 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits absolute maximum of a user’s allocated space user cannot write anything else to the filesystem when reached write to current file is truncated user can free space and save file if program has a copy of the file in memory Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits—Per-group hard limit 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User absolute maximum of a group’s allocated space members of the group cannot write anything else to the filesystem when reached write to current file is truncated user in the group can free space and save file if program has a copy of the file in memory Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits—Per-user soft limit 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Hard Limit—Group Less than hard limit When reached, user enters grace period User gets warnings on terminal that quota has been exceeded Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits—Per-group soft limit 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Hard Limit—Group Less than hard limit When reached, group enters grace period Members of the group get warnings on terminal that quota has been exceeded Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Outline 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Context Objective Enabling Quotas Initialising Quotas when booting Check quotas regularly with cron Quota Limits Hard Limit—User Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Hard Limit—Group Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Quota Limits—Grace Period 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Hard Limit—User Hard Limit—Group Grace period is a time before the hard limit is enforced regardless of whether the hard limit is reached . . . unless the user gets their quota down bleow the soft limit in that time Soft Limit—User Soft Limit—Group Grace Period Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Set and View Disk Quotas Setting up and configuring quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective The next move is to edit the quota reference for each user. We can get around this with scripts, but essentially this is not nice :) We can actually edit the quota of a typical user on our system and then copy the attributes of that users quota to other users, as follows: fehung:/home/greebo# edquota greebo This edits the quota for user greebo, in this file we change the soft and hard limits to whatever we choose, example: Disk quotas for user greebo (uid 1000): Filesystem blocks soft hard inodes /dev/hda2 538 29000 30000 689 Enabling Quotas Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document soft 0 hard 0 Set and View Disk Quotas Configuring Quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context The first soft and hard values are relevant to blocks and the second to inodes, here the user has a block soft and hard limit but no inode limit . Objective Enabling Quotas Quota Limits Configuring Quotas with edquota We can then attribute these settings to the rest of the Viewing quotas with quota users thus: Turning quotas on and off fehung:/home/greebo# edquota -p greebo $(awk -F: ’$3 > repquota 999 { print $1 }’ /etc/passwd) and can confirm this worked by running $ sudo edquota randomuser ← to see whether the new settings copied across. We can only modify the grace limit system wide. We do this by running # edquota -tu ← , and changing the value. License Of This Document Set and View Disk Quotas Configuring Quotas 1.114.3 Setup user level security Weight 1 Geoff Robertson Context The first soft and hard values are relevant to blocks and the second to inodes, here the user has a block soft and hard limit but no inode limit . Objective Enabling Quotas Quota Limits Configuring Quotas with edquota We can then attribute these settings to the rest of the Viewing quotas with quota users thus: Turning quotas on and off fehung:/home/greebo# edquota -p greebo $(awk -F: ’$3 > repquota 999 { print $1 }’ /etc/passwd) and can confirm this worked by running $ sudo edquota randomuser ← to see whether the new settings copied across. We can only modify the grace limit system wide. We do this by running # edquota -tu ← , and changing the value. License Of This Document Set and View Disk Quotas Quota commands: quota(1) 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits quota is used to display quotas on users and groups, using the -u switch for users and -g switch for groups: fehung:/home# quota -uv greebo ← Disk quotas for user greebo (uid 1000): Filesystem blocks quota limit grace /dev/hda2 538 29000 30000 Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota files 689 quota 0 License Of This Document limit 0 gra Set and View Disk Quotas Quota commands: quotaon(1) 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Quota Limits Configuring Quotas with edquota Viewing quotas with quota quotaon turns on the quota system, quotaoff turns it off. Easy! Turning quotas on and off repquota License Of This Document Set and View Disk Quotas Quota commands: repquota(1) 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas repquota reports on the status on quotas. Common options are as follows: -a -g -u -v reports on all quotas reports on group quotas reports on user quotas verbose mode Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document Examples: $ sudo repquota -v /home ← or $ sudo repquota -a ← License Of This Document 1.114.3 Setup user level security Weight 1 Geoff Robertson Context Objective Enabling Quotas Copyright c 2005, 2003 Geoffrey Robertson and Nick Urbanik . Permission is granted to make and distribute verbatim copies or modified versions of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation—either version 2 of the License or (at your option) any later version. Quota Limits Configuring Quotas with edquota Viewing quotas with quota Turning quotas on and off repquota License Of This Document