I installed disk quotas. By default, each user will have 4 G soft quota, and 5 G hard quota on home directory size. Similarly, each user has a soft number-of-files quota set at 400,000, and hard quota at 500,000. I picked the numbers based on current usage pattern on Abulafia.
Additionally, thanks to grsecurity kernel patch, we now have the ability to restrict socket creation and program execution. By adding users to special groups, we can prevent them from creating server, client or any INET sockets. In the same way, we can allow users to only run files from root-owned directories.
Regardless of grsecurity, I am planing use the standard Unix groups mechanism to restrict use of the development tools (compilers, most notably). Users who will want access to compilers will be added to a special group.
Cron and At services will be disabled by default as well. As usual, people needing them will have to ask for them. --DavorOcelic