|
|
|
|
Automatic user quotas setup
Overview
This document describes how to set up automatic user quotas on Linux so that upon user login, a predetermined quota is set. An example scenario is a Linux system that's been configured to authenticate against Active Directory (or LDAP, etc.). When a user logs in for the first time, pam_mkhomedir module creates a home directory and pam_setquota sets their quota automatically. Note that local authentication schemes would also work. Centralized authentication schemes is not necessary for pam_setquota to work. This document does not describe how to set up any authentication schemes.
Requirements
- a kernel that supports quotas (should already)
- quota software package (
quotacheck,quotaon,repquota, etc.) - PAM setquota module and patch
Installation
Once the quota software package is installed, it's just a matter to activating user quotas on the filesystem. To automatically set quotas upon user login, you need to download the pam_setquota code, patch it, and compile it.
Activating user quotas
- check to see if quotas are already enabled by:
~# repquota /volumepath
repquota: Mountpoint (or device) /volumepath not found or has no quota enabled.
repquota: Not all specified mountpoints are using quota
- edit
/etc/fstaband add theusrquotaoption:
# Format:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sda1 /volumepath ext3 defaults,usrquota 0 1
- remount the filesystem and verify (reboot also works):
~# mount -o remount /volumepath
~# mount |grep usrquota
/dev/sda1 on /volumepath type ext3 (rw,usrquota)
- enable quotas (note that if you can't umount the /volumepath, the easiest thing to do is to reboot, unfortunately)
~# quotacheck -c /volumepath
~# quotaon -avug
/dev/sda1 [/volumepath]: user quotas turned on
- verify:
~# repquota /volumepath
*** Report for user quotas on device /dev/sda1
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 57465 0 0 47 0 0
Compiling PAM setquota module
- download files from http://code.google.com/p/pam-setquota/downloads/list
- unpack:
~# tar xjvf pam_setquota.tar.bz2 -C /tmp
pam_setquota/
pam_setquota/Makefile
pam_setquota/pam_setquota.c
- patch:
~# patch /tmp/pam_setquota/pam_setquota.c -p0 < setquota.patch
- compile and install:
~# cd /tmp/pam_setquota && make && mv -v pam_setquota.so /lib/security/
gcc -fPIC -DLINUX_PAM -Dlinux -Di386 -DPAM_DYNAMIC -c pam_setquota.c
ld -x -shared -o pam_setquota.so pam_setquota.o
`pam_setquota.so' -> `/lib/security/pam_setquota.so'
Configuring PAM
This is specific to your system/setup. For details on configuring PAM, please refer to a PAM tutorial. I recommend that you do not copy what's below without understanding what it's supposed to do.
- edit
/etc/pam.d/common-sessionand insert the line (likely below pam_mkhomedir.so):
session required pam_setquota.so bsoftlimit=1048576 bhardlimit=1048576 isoftlimit=0 ihardlimit=0 startuid=10000 enduid=100000 fs=/path
A brief explanation
- 'b'lock limits directly control space. 'i'node limits the number of inodes.
-
fs=can take both path or device path arguments. If unset,fs=defaults to the home directory volume. - Automatic setting of quotas can be enabled for multiple filesystems by adding multiple session lines and changing the
fs=path. - By default, the patched
pam_setquotamodule no longer overwrites existing user quotas. Appendoverwrite=1to re-enable always overwriting user quotas. - Different policies for users can also be implemented via their UID ranges. Set
enduid=0if there is no max UID for the policy. - Appending
debug=1will log debug messages to theAUTHfacility with theDEBUGpriority. When in doubt,`grep pam_setquota /var/log/*assuming thatauth.debugis being logged. Otherwise, reconfigure and restartsyslog.
