pam_limits
Cristian Gafton <gafton@sorosis.ro>
Thanks are also due to Elliot Lee <sopwith@redhat.com>
for his comments on improving this module.
Cristian Gafton - 1996/11/20
session
requires an /etc/security/limits.conf
file and kernel support
for resource limits. Also uses the library, libpwdb
.
This module, through the Linux-PAM open-session hook, sets limits on the system resources that can be obtained in a user-session. Its actions are dictated more explicitly through the configuration file discussed below.
debug
; conf=/path/to/file.conf
Through the contents of the configuration file,
/etc/security/limits.conf
, resource limits are placed on
users' sessions. Users of uid=0
are not affected by this
restriction.
The behavior of this module can be modified with the following arguments:
debug
-
verbose logging to syslog(3)
.
conf=/path/to/file.conf
-
indicate an alternative limits configuration file to the default.
In order to use this module the system administrator must first create
a root-only-readable file (default is
/etc/security/limits.conf
). This file describes the resource
limits the superuser wishes to impose on users and groups. No limits
are imposed on uid=0
accounts.
Each line of the configuration file describes a limit for a user in the form:
<domain> <type> <item> <value>
The fields listed above should be filled as follows...
<domain>
can be:
@group
syntax*
, for default entry
<type>
can have the two values:
hard
for enforcing hard resource limits. These limits
are set by the superuser and enforced by the Linux Kernel. The user
cannot raise his requirement of system resources above such values.
soft
for enforcing soft resource limits. These limits
are ones that the user can move up or down within the permitted range
by any pre-exisiting hard limits. The values specified with this
token can be thought of as default values, for normal system
usage.
<item>
can be one of the following:
core
- limits the core file size (KB)data
- max data size (KB)fsize
- maximum filesize (KB)memlock
- max locked-in-memory address space (KB)nofile
- max number of open filesrss
- max resident set size (KB)stack
- max stack size (KB)cpu
- max CPU time (MIN)nproc
- max number of processesas
- address space limitmaxlogins
- max number of logins for this user.
To completely disable limits for a user (or a group), a single dash
(-) will do (Example: ``bin -
'', ``@admin -
''). Please
remember that individual limits have priority over group limits, so if
you impose no limits for admin
group, but one of the members in this
group have a limits line, the user will have its limits set according
to this line.
Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session.
In the limits configuration file, the ``#
'' character
introduces a comment - after which the rest of the line is ignored.
The pam_limits
module does its best to report configuration
problems found in its configuration file via syslog(3)
.
The following is an example configuration file:
# EXAMPLE /etc/security/limits.conf file:
# =======================================
# <domain> <type> <item> <value>
* soft core 0
* hard rss 10000
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
Note, the use of soft
and hard
limits for the same resource
(see @faculty
) -- this establishes the default and permitted
extreme level of resources that the user can can obtain in a
given service-session.
For the services that need resources limits (login for example) put a
the following line in /etc/pam.conf
as the last line for that
service (usually after the pam_unix session line:
#
# Resource limits imposed on login sessions via pam_limits
#
login session required pam_limits.so