[SOLVED] Set disk quota for newly created user on login
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am setting up quota on my CentOS 6.4 Server. This allow me to set quota for existing user using 'setquota' command.
However I need to set quota manually for users authenticated through AD or LDAP. Also if I create new native Linux user, I have to set quota manually.
I want to set quota on user login. I have searched for PAM, and found this https://code.google.com/p/pam-setquota/ . However not sure, how reliable this is.
Is there any other way to set quota for user on login to the machine.
You would have to look at the code details for most of that.
The biggest limitations I see offhand (not having used it), are that:
1) you can only set one quota entry -- and that gets used by all users
2) you can't use the users home directory to identify the disk to set the quota on
Neither of these limitations may be a problem for a departmental style server, but could be a problem for a more widely used server (multiple class levels with different quota requirements, AND different storage servers...)
1.How to set one quota entry which can be used by all users. I can set quota for one user and then using setquota, can copy similar details for all the users from /etc/passwd file recursively. Is there any other way.
1.I am looking for solution so set quota automatically whenever new user logged in. User could be from external server like AD or OpenLDAP or from that machine itself.
1. If you are using an NFS server then the account has to exist on the server; doing that I believe uses a different method (an rpc call, not a local system call).
2. Besides user quotas, there are also group quotas (sharing the the quota among multiple users).
3. On shared servers, not all users are allowed a quota... Only on certain filesystems. Setting one for a user on /home is fine and dandy - but incomplete. There can also be local workspace quotas that are needed (things used like /tmp).
4. not all users of a compute server may have access to all storage on various (possibly accessible) filesystems.
For these reasons, quotas are not usually set when a user logs in, but when the users account is setup.
Now the PAM module you found COULD be modified for the home directory... but that isn't what it was originally used for. It could even be modified to make LDAP queries to identify the filesystems the user IS authorized for, and then create quotas on those filesystems...
But it would take a good bit of work, which is actually easier to do when the user is being authorized in the first place.
Thanks for detailed description. I will explain what exactly I am trying to achieve.
My setup is like, CentOS server with OpenLDAP external authentication enabled. Now I want to set quotas for OpenLDAP users. I can di it be checking all users with "getent" and then set quota for them. In this case if any new user is added in Openldap. I have to execute command/script again. Hence I would like to setup something to set quota automatically when user logs in.
pam_setquota seems to be not working on CentOS 6.4 x86_64 system. Is there any other way to do this.
I make it worked with group quota. Basically I am allowing user auth from OpenLDAP or AD based on group. Means I will enable authentication for group and every user for that group can login to Linux box. Now I am setting quota for that group and its working.
There is small issue though, I observed that group quota is not user basis. Meaning if I enabled group quota to 100mb, all users of that group together can use up to 100mb and not the individual user. Is this the normal quota setup behavior .
@jpollard
I had the exact same issue today. I would like to make it so when a new user auth via AD/LDAP a xMB quota is applied to their home dir. Group quota isn't sufficient as like you say , it applies to the whole group and not individual user. I need each user to have a set quota of X. The value is the same for every user. Hourly (or more) cron job could have been an option working out all new users and setting the quota but there is still a chance someone could fill the disk before the next time the job runs.
I've been looking at PAM (and will probably continue) but for now I have a little dodgy hax to get me going..
Create file in /etc/profile.d/
#!/bin/bash
sudo /root/set_user_quota.sh $USER
Create sudo rule allowing regular user to run the script as root
cat /etc/sudoers.d/quota
%adldapgroup ALL = (root) NOPASSWD:EXEC:/root/set_user_quota.sh
Script to set the quota to 2MB
cat /root/set_user_quota.sh
#!/bin/bash
FOO=$1
echo "Setting /home quota for $FOO to 2MB"
setquota -u $FOO 0 2048 0 0 -a /home
** obviously a few more things to think about here like making sure you dont mess up root user or other users you might want to exclude. Also a check to not set the quota if its already been set.. You know , make it better.. But still , it works.
[root@server12345 ~]# su - xxxxxx
Setting /home quota for xxxxxx to 2MB
Consider what happens if the "$USER" happens to be '`echo xyz:x:0:0:gotcha:/root:/bin/bash >>/etc/passwd`;`echo xyz:<someencrypted passwd>::::::: >>/etc/shadow'
Or if "$USER" is '`/bin/bash`', and give the user a root shell right away.
Execution from /etc/profile might work... but nothing can prevent the user from using the command again and taking over the system. (Note: did this myself once... and had to take over the system to fix something else, and this technique was how I did it)
Thanks mate , yeah it was a pretty dodgy solution.. I should delete the post actually.
Got it working today via /etc/pam.d/system_auth , session after the oddjobd mkdir line.
It calls my script and I use env var $PAM_USER within the script.. No dependancy on profile.d or dodgy sudo rules either accepting args either
Script does a few quota checks first and ignores root user and other service accounts and things like that. I'm still testing but it seems to work so far
I'm on my phone now but will post in a few days when I'm back at work if it works out .
Cheers
Last edited by -=Graz=-; 01-22-2016 at 01:12 AM.
Reason: Typo
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.