2
$Id: pam_limits.sgml,v 1.4 2002/09/15 21:19:55 hartmans Exp $
4
This file was written by Andrew G. Morgan <morgan@kernel.org>
5
from information compiled by Cristian Gafton (author of module)
8
<sect1>The resource limits module
15
<tag><bf>Module Name:</bf></tag>
18
<tag><bf>Authors:</bf></tag>
19
Cristian Gafton <gafton@redhat.com> <newline>
20
Thanks are also due to Elliot Lee <sopwith@redhat.com>
21
for his comments on improving this module.
23
<tag><bf>Maintainer:</bf></tag>
24
Cristian Gafton - 1996/11/20
26
<tag><bf>Management groups provided:</bf></tag>
29
<tag><bf>Cryptographically sensitive:</bf></tag>
31
<tag><bf>Security rating:</bf></tag>
33
<tag><bf>Clean code base:</bf></tag>
35
<tag><bf>System dependencies:</bf></tag>
36
requires an <tt>/etc/security/limits.conf</tt> file and kernel support
37
for resource limits. Also uses the library, <tt/libpwdb/.
39
<tag><bf>Network aware:</bf></tag>
43
<sect2>Overview of module
46
This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets
47
limits on the system resources that can be obtained in a
48
user-session. Its actions are dictated more explicitly through the
49
configuration file discussed below.
51
<sect2>Session component
56
<tag><bf>Recognized arguments:</bf></tag>
57
<tt/debug/; <tt>conf=/path/to/file.conf</tt>; <tt>change_uid</tt>;
60
<tag><bf>Description:</bf></tag>
62
Through the contents of the configuration file,
63
<tt>/etc/security/limits.conf</tt>, resource limits are placed on
64
users' sessions. Users of <tt/uid=0/ are not affected by this
68
The behavior of this module can be modified with the following
73
verbose logging to <tt/syslog(3)/.
75
<item><tt>conf=/path/to/file.conf</tt> -
76
indicate an alternative <em/limits/ configuration file to the default.
78
<item><tt/change_uid/ -
79
change real uid to the user for who the limits are set up. Use this
80
option if you have problems like login not forking a shell for user
81
who has no processes. Be warned that something else may break when
84
<item><tt/utmp_early/ -
85
some broken applications actually allocate a utmp entry for the user
86
before the user is admitted to the system. If some of the services you
87
are configuring PAM for do this, you can selectively use this module
88
argument to compensate for this behavior and at the same time maintain
89
system-wide consistency with a single limits.conf file.
93
<tag><bf>Examples/suggested usage:</bf></tag>
95
In order to use this module the system administrator must first create
96
a <em/root-only-readable/ file (default is
97
<tt>/etc/security/limits.conf</tt>). This file describes the resource
98
limits the superuser wishes to impose on users and groups. No limits
99
are imposed on <tt/uid=0/ accounts.
102
Each line of the configuration file describes a limit for a user in
106
<domain> <type> <item> <value>
111
The fields listed above should be filled as follows...<newline>
112
<tt><domain></tt> can be:
115
<item> a groupname, with <tt>@group</tt> syntax
116
<item> the wild-card <tt/*/, for default entry
117
<item> the wild-card <tt/%/, for maxlogins limit only,
118
can also be used with <tt>%group</tt> syntax
122
<tt><type></tt> can have the three values:
125
<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
126
are set by the superuser and enforced by the Linux Kernel. The user
127
cannot raise his requirement of system resources above such values.
129
<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits
130
are ones that the user can move up or down within the permitted range
131
by any pre-exisiting <em/hard/ limits. The values specified with this
132
token can be thought of as <em/default/ values, for normal system
135
<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits
141
<tt><item></tt> can be one of the following:
143
<item><tt/core/ - limits the core file size (KB)
144
<item><tt/data/ - max data size (KB)
145
<item><tt/fsize/ - maximum filesize (KB)
146
<item><tt/memlock/ - max locked-in-memory address space (KB)
147
<item><tt/nofile/ - max number of open files
148
<item><tt/rss/ - max resident set size (KB)
149
<item><tt/stack/ - max stack size (KB)
150
<item><tt/cpu/ - max CPU time (MIN)
151
<item><tt/nproc/ - max number of processes
152
<item><tt/as/ - address space limit
153
<item><tt/maxlogins/ - max number of logins for this user
154
<item><tt/maxsyslogins/ - max number of logins on system
155
<item><tt/priority/ - the priority to run user process with (negative
156
values boost process priority)
157
<item><tt/locks/ - max locked files (Linux 2.4 and higher)
158
<item><tt/chroot/ - directory to chroot user to
162
Note, if you specify a type of ``-'' but neglect to supply the
163
<tt/item/ and <tt/value/ fields then the module will never enforce any
164
limits on the corresponding user/group-members etc. . Note, the first
165
entry of the form which applies to the authenticating user will
166
override all other entries in the limits configuration file. In such
167
cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/.
170
In general, individual limits have priority over group limits, so if
171
you impose no limits for <tt/admin/ group, but one of the members in
172
this group have a limits line, the user will have its limits set
173
according to this line.
176
Also, please note that all limit settings are set <em/per login/.
177
They are not global, nor are they permanent; existing only for the
178
duration of the session.
181
In the <em/limits/ configuration file, the ``<tt/#/'' character
182
introduces a comment - after which the rest of the line is ignored.
185
The <tt/pam_limits/ module does its best to report configuration
186
problems found in its configuration file via <tt/syslog(3)/.
189
The following is an example configuration file:
192
# EXAMPLE /etc/security/limits.conf file:
193
# =======================================
194
# <domain> <type> <item> <value>
197
@student hard nproc 20
198
@faculty soft nproc 20
199
@faculty hard nproc 50
202
@student - maxlogins 4
205
Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource
206
(see <tt/@faculty/) -- this establishes the <em/default/ and permitted
207
<em/extreme/ level of resources that the user can obtain in a given
211
Note, that wild-cards <tt/*/ and <tt/%/ have the following meaning when
212
used for maxlogins limit
214
<item> <tt/*/ every user
215
<item> <tt/%/ all users, or entire group when <tt>%group</tt> is specified
217
See the following examples:
220
# EXAMPLE /etc/security/limits.conf file:
221
# <domain> <type> <item> <value>
223
@faculty - maxlogins 4
225
%student - maxlogins 10
228
Explanation: every user can login 2 times, members of the <tt/faculty/
229
group can login 4 times, there can be only 30 logins, only 10 from
233
For the services that need resources limits (login for example) put
234
the following line in <tt>/etc/pam.conf</tt> as the last line for that
235
service (usually after the pam_unix session line:
239
# Resource limits imposed on login sessions via pam_limits
241
login session required pam_limits.so
248
End of sgml insert for this module.