Previous Next Contents

6.8 The resource limits module

Synopsis

Module Name:

pam_limits

Authors:

Cristian Gafton <gafton@sorosis.ro>
Thanks are also due to Elliot Lee <sopwith@redhat.com> for his comments on improving this module.

Maintainer:

Cristian Gafton - 1996/11/20

Management groups provided:

session

Cryptographically sensitive:

Security rating:

Clean code base:

System dependencies:

requires an /etc/security/limits.conf file and kernel support for resource limits. Also uses the library, libpwdb.

Network aware:

Overview of module

This module, through the Linux-PAM open-session hook, sets limits on the system resources that can be obtained in a user-session. Its actions are dictated more explicitly through the configuration file discussed below.

Session component

Recognized arguments:

debug; conf=/path/to/file.conf

Description:

Through the contents of the configuration file, /etc/security/limits.conf, resource limits are placed on users' sessions. Users of uid=0 are not affected by this restriction.

The behavior of this module can be modified with the following arguments:

Examples/suggested usage:

In order to use this module the system administrator must first create a root-only-readable file (default is /etc/security/limits.conf). This file describes the resource limits the superuser wishes to impose on users and groups. No limits are imposed on uid=0 accounts.

Each line of the configuration file describes a limit for a user in the form:

<domain>        <type>  <item>          <value>

The fields listed above should be filled as follows...
<domain> can be:

<type> can have the two values:

<item> can be one of the following:

To completely disable limits for a user (or a group), a single dash (-) will do (Example: ``bin -'', ``@admin -''). Please remember that individual limits have priority over group limits, so if you impose no limits for admin group, but one of the members in this group have a limits line, the user will have its limits set according to this line.

Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session.

In the limits configuration file, the ``#'' character introduces a comment - after which the rest of the line is ignored.

The pam_limits module does its best to report configuration problems found in its configuration file via syslog(3).

The following is an example configuration file:

# EXAMPLE /etc/security/limits.conf file:
# =======================================
# <domain>      <type>  <item>          <value>
*               soft    core            0
*               hard    rss             10000
@student        hard    nproc           20
@faculty        soft    nproc           20
@faculty        hard    nproc           50
ftp             hard    nproc           0
@student        -       maxlogins       4
Note, the use of soft and hard limits for the same resource (see @faculty) -- this establishes the default and permitted extreme level of resources that the user can can obtain in a given service-session.

For the services that need resources limits (login for example) put a the following line in /etc/pam.conf as the last line for that service (usually after the pam_unix session line:

#
# Resource limits imposed on login sessions via pam_limits
#
login   session    required     pam_limits.so


Previous Next Contents