LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-19-2014, 06:03 AM   #1
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Rep: Reputation: 0
Set disk quota for newly created user on login


Hello,

I am setting up quota on my CentOS 6.4 Server. This allow me to set quota for existing user using 'setquota' command.

However I need to set quota manually for users authenticated through AD or LDAP. Also if I create new native Linux user, I have to set quota manually.

I want to set quota on user login. I have searched for PAM, and found this https://code.google.com/p/pam-setquota/ . However not sure, how reliable this is.

Is there any other way to set quota for user on login to the machine.
 
Old 05-19-2014, 08:48 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
You would have to look at the code details for most of that.

The biggest limitations I see offhand (not having used it), are that:

1) you can only set one quota entry -- and that gets used by all users
2) you can't use the users home directory to identify the disk to set the quota on

Neither of these limitations may be a problem for a departmental style server, but could be a problem for a more widely used server (multiple class levels with different quota requirements, AND different storage servers...)

It is also a bit dated (2010)...

I suspect it could be fixed though.

Last edited by jpollard; 05-19-2014 at 08:51 AM.
 
Old 05-19-2014, 09:00 AM   #3
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hello,

Thanks for the suggestions,

1.How to set one quota entry which can be used by all users. I can set quota for one user and then using setquota, can copy similar details for all the users from /etc/passwd file recursively. Is there any other way.

1.I am looking for solution so set quota automatically whenever new user logged in. User could be from external server like AD or OpenLDAP or from that machine itself.
 
Old 05-19-2014, 11:04 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
The problem is not exactly solvable...

1. If you are using an NFS server then the account has to exist on the server; doing that I believe uses a different method (an rpc call, not a local system call).

2. Besides user quotas, there are also group quotas (sharing the the quota among multiple users).

3. On shared servers, not all users are allowed a quota... Only on certain filesystems. Setting one for a user on /home is fine and dandy - but incomplete. There can also be local workspace quotas that are needed (things used like /tmp).

4. not all users of a compute server may have access to all storage on various (possibly accessible) filesystems.

For these reasons, quotas are not usually set when a user logs in, but when the users account is setup.

Now the PAM module you found COULD be modified for the home directory... but that isn't what it was originally used for. It could even be modified to make LDAP queries to identify the filesystems the user IS authorized for, and then create quotas on those filesystems...

But it would take a good bit of work, which is actually easier to do when the user is being authorized in the first place.

Last edited by jpollard; 05-19-2014 at 11:11 AM.
 
Old 05-22-2014, 06:10 AM   #5
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hello,

Thanks for detailed description. I will explain what exactly I am trying to achieve.

My setup is like, CentOS server with OpenLDAP external authentication enabled. Now I want to set quotas for OpenLDAP users. I can di it be checking all users with "getent" and then set quota for them. In this case if any new user is added in Openldap. I have to execute command/script again. Hence I would like to setup something to set quota automatically when user logs in.

pam_setquota seems to be not working on CentOS 6.4 x86_64 system. Is there any other way to do this.
 
Old 05-22-2014, 06:19 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
Like I said, it depends on where the user is. I doubt it can work on NFS. It MIGHT be able to work on gluster filesystem though.

The time the quotas should be set is when the new user is added in the LDAP server, and on those systems the user is authorized to use.

But I don't know of any other method at login other than using a PAM module.
 
Old 05-22-2014, 07:25 AM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,258

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
How about calling setquota from /etc/profile (/etc/profile.d/..) when they login?
 
Old 05-22-2014, 07:49 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
setquota requires privilege... and if a user can set their quota, then they could set any quota they want... or even delete the restriction.

Second, a number of systems won't allow a login unless the home directory exists...
 
Old 05-23-2014, 06:03 AM   #9
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hello,

Thanks for suggestions.

I make it worked with group quota. Basically I am allowing user auth from OpenLDAP or AD based on group. Means I will enable authentication for group and every user for that group can login to Linux box. Now I am setting quota for that group and its working.

There is small issue though, I observed that group quota is not user basis. Meaning if I enabled group quota to 100mb, all users of that group together can use up to 100mb and not the individual user. Is this the normal quota setup behavior .
 
Old 05-23-2014, 08:41 AM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,258

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
Yes; that's why you have user AND group quotas as options.
See Chap 7 http://www.linuxtopia.org/online_boo...ion/index.html
 
Old 01-20-2016, 10:53 PM   #11
-=Graz=-
Member
 
Registered: Jan 2006
Location: Australia
Distribution: Fedora, Slackware, RHEL, AIX, HP-UX
Posts: 358

Rep: Reputation: 31
@jpollard
I had the exact same issue today. I would like to make it so when a new user auth via AD/LDAP a xMB quota is applied to their home dir. Group quota isn't sufficient as like you say , it applies to the whole group and not individual user. I need each user to have a set quota of X. The value is the same for every user. Hourly (or more) cron job could have been an option working out all new users and setting the quota but there is still a chance someone could fill the disk before the next time the job runs.

I've been looking at PAM (and will probably continue) but for now I have a little dodgy hax to get me going..

Create file in /etc/profile.d/
#!/bin/bash
sudo /root/set_user_quota.sh $USER

Create sudo rule allowing regular user to run the script as root
cat /etc/sudoers.d/quota
%adldapgroup ALL = (root) NOPASSWD:EXEC:/root/set_user_quota.sh

Script to set the quota to 2MB
cat /root/set_user_quota.sh
#!/bin/bash

FOO=$1

echo "Setting /home quota for $FOO to 2MB"
setquota -u $FOO 0 2048 0 0 -a /home

** obviously a few more things to think about here like making sure you dont mess up root user or other users you might want to exclude. Also a check to not set the quota if its already been set.. You know , make it better.. But still , it works.

[root@server12345 ~]# su - xxxxxx
Setting /home quota for xxxxxx to 2MB

[root@server12345 ~]# repquota /home | grep xxxxxx
#xxxxxx -- 2048 0 2048 12 0 0
 
Old 01-21-2016, 06:18 AM   #12
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
Your script is insecure.

Consider what happens if the "$USER" happens to be '`echo xyz:x:0:0:gotcha:/root:/bin/bash >>/etc/passwd`;`echo xyz:<someencrypted passwd>::::::: >>/etc/shadow'

Or if "$USER" is '`/bin/bash`', and give the user a root shell right away.

Execution from /etc/profile might work... but nothing can prevent the user from using the command again and taking over the system. (Note: did this myself once... and had to take over the system to fix something else, and this technique was how I did it)

You might check http://sourceforge.net/p/linuxquota/...read/d4c432ea/
for alternatives.

Last edited by jpollard; 01-21-2016 at 06:20 AM.
 
Old 01-22-2016, 02:11 AM   #13
-=Graz=-
Member
 
Registered: Jan 2006
Location: Australia
Distribution: Fedora, Slackware, RHEL, AIX, HP-UX
Posts: 358

Rep: Reputation: 31
Thanks mate , yeah it was a pretty dodgy solution.. I should delete the post actually.

Got it working today via /etc/pam.d/system_auth , session after the oddjobd mkdir line.

It calls my script and I use env var $PAM_USER within the script.. No dependancy on profile.d or dodgy sudo rules either accepting args either

Script does a few quota checks first and ignores root user and other service accounts and things like that. I'm still testing but it seems to work so far

I'm on my phone now but will post in a few days when I'm back at work if it works out .

Cheers

Last edited by -=Graz=-; 01-22-2016 at 02:12 AM. Reason: Typo
 
  


Reply

Tags
centos6, quota, securit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Mint8 Helena LiveCD on USB Stick - Always logs into Mint user, not newly created user rrrssssss Linux Mint 3 04-20-2010 03:14 PM
How to set permissions for newly created dirs? z-vet Linux - General 2 12-04-2004 09:06 AM
I can't login with newly created user r_ibsen Linux - Newbie 2 06-19-2004 09:32 AM
cannot login as newly created user in terminal linoops Linux - Newbie 1 06-04-2004 09:07 PM
how do i set a user disk quota axis Linux - Security 5 09-01-2003 11:33 PM


All times are GMT -5. The time now is 01:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration