Andrew Hudson - Fedora™ Unleashed, 2008 edition

$ sudo -l

On large systems with many users, you need to control the amount of disk space a user has access to. Disk quotas are designed for this purpose. Quotas, managed per each partition, can be set for both individual users and for groups; quotas for the group need not be as large as the aggregate quotas for the individuals in the groups.

When files are created, both a user and a group own them; ownership of the files is always part of the metadata about the files. This makes quotas based on both users and groups easy to manage.

To manage disk quotas, you must have the quota package installed on your system; it is usually installed by default. Quota management with Fedora is not enabled by default and has traditionally been enabled and configured manually by system administrators. Sysadmins use the family of quota commands, such as quotacheckto initialize the quota database files, edquotato set and edit user quotas, setquotato configure disk quotas, and quotaonor quotaoffto control the service. (Other utilities include warnquotafor automatically sending mail to users over their disk-space usage limit.)

To reiterate, quotas might not be enabled by default, even if the quota software package is installed on your system. When quotas are installed and enabled, you can see which partitions have user quotas, group quotas, or both by looking at the fourth field in the /etc/fstabfile. For example, one line in /etc/fstabshows that quotas are enabled for the /homepartition:

/dev/sda5 /home ext3 defaults,usrquota,grpquota 1 1

The root of the partition with quotas enabled has the files aquota.useror aquota.groupin them (or both files, if both types of quotas are enabled), and the files contain the actual quotas. The permissions of these files should be 600so that users cannot read or write to them. (Otherwise, users would change them to allow ample space for their music files and Internet art collections.) To initialize disk quotas, the partitions must be remounted. This is easily accomplished with the following:

# mount -o ro,remount partition_to_be_remounted mount_point

The underlying console tools (complete with man pages) are as follows:

► quotaon , quotaoff — Toggles quotas on a partition.

► repquota — A summary status report on users and groups.

► quotacheck — Updates the status of quotas (compares new and old tables of disk usage); it is run after fsck.

► edquota — A basic quota management command.

Manual configuration of quotas involves changing entries in your system's file system table, /etc/fstab, to add the usrquotamount option to the desired portion of your file system. As an example in a simple file system, quota management can be enabled like this:

LABEL=/ / ext3 defaults,usrquota 1 1

Group-level quotas can also be enabled by using the grpquotaoption. As the root opera tor, you must then create a file (using the example of creating user quotas) named aquota.userin the designated portion of the file system, like so:

# touch /quota.user

You should then turn on the use of quotas by using the quotaoncommand:

# quotaon -av

You can then edit user quotas with the edquotacommand to set hard and soft limits on file system use. The default system editor ( viunless you change your EDITORenvironment variable) is launched when a user's quota is edited.

Any user can find out what her quotas are with the following:

$ quota -v

No graphical tools supported by Fedora can be used to configure disk quotas. A Quota mini-HOWTO is maintained at http://www.tldp.org/HOWTO/Quota.html.

You will use these commands to manage user accounts in Fedora:

► ac — A user account-statistics command

► change — Sets or modifies user password expiration policies

► chfn — Creates or modifies user finger information in /etc/passwd

► chgrp — Modifies group memberships

► chmod — Changes file permissions

► chown — Changes file ownerships

► chpasswd — Batch command to modify user passwords

► chsh — Modifies a user's shell

► groups — Displays existing group memberships

► logname — Displays a user's login name

► newusers — Batches user management command

► passwd — Creates or modifies user passwords

► su — Executes shell or command as another user

► sudo — Manages selected user execution permissions

► system-config-users — Fedora's graphical user management tool

► useradd — Creates, modifies, or manages users

► userinfo — Fedora's graphical chfncommand

► usermod — Edits a user's login profile

► userpasswd — Fedora's graphical user password command

► http://howtos.linux.com/howtos/User-Authentication-HOWTO/index.shtml— The User-Authentication HOWTO describes how user and group information is stored and used for authentication.

► http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Shadow-Password-HOWTO.html— The Shadow-Password HOWTO delves into the murky depths of shadow passwords and even discusses why you might not want to use them.

► http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-HOWTO.html— A must-read HOWTO, the Security HOWTO is a good overview of security issues. Especially applicable to this chapter are sections on creating accounts, file permissions, and password security.

► http://www.secinf.net/unix_security/Linux_Administrators_Security_Guide/— A general guide, the Linux System Administrator's Security Guide has interesting sections on limiting and monitoring users.

► http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Path.html— How can one know the true path? The Path HOWTO sheds light on this issue. You need to understand paths if you want to guide the users to their data and applications.

► http://www.courtesan.com/sudo/— The SUperuser DOcommand is a powerful and elegant way to delegate authority to regular users for specific commands.

► http://www.kernel.org/pub/linux/libs/pam/index.html— The Pluggable Authentication Modules suite contains complex and highly useful applications that provide additional security and logging for passwords. PAM is installed by default in Fedora. It is not necessary to understand the intricacies of PAM to use it effectively.