3
Imposing user limits on login.
7
First, make a root-only-readable file (/etc/security/limits.conf by
8
default or INSTALLED_CONFILE defined Makefile) that describes the
9
resource limits you wish to impose. No limits are imposed on UID 0
12
Each line describes a limit for a user in the form:
14
<domain> <type> <item> <value>
19
- a group name, with @group syntax
20
- the wildcard *, for default entry
22
<type> can have the three values:
23
- "soft" for enforcing the soft limits
24
- "hard" for enforcing hard limits
25
- "-" for enforcing both soft and hard limits
27
<item> can be one of the following:
28
- core - limits the core file size (KB)
29
- data - max data size (KB)
30
- fsize - maximum filesize (KB)
31
- memlock - max locked-in-memory address space (KB)
32
- nofile - max number of open files
33
- rss - max resident set size (KB)
34
- stack - max stack size (KB)
35
- cpu - max CPU time (MIN)
36
- nproc - max number of processes
37
- as - address space limit
38
- maxlogins - max number of logins for this user
39
- maxsyslogins - max number of logins on the system
40
- priority - lower the priority by given value (value can be -ve)
41
- locks - max locked files (Linux 2.4 and higher)
43
Note, if you specify a type of '-' but neglect to supply the item and
44
value fields then the module will never enforce any limits on the
45
specified user/group etc. .
47
Please remember that individual limits have priority over group
48
limits, so if you impose no limits for admin group, but one of the
49
members in this group has a limits line, the user will have its limits
50
set according to this line.
52
Also, please note that all limit settings are set PER LOGIN. They are
53
not global, nor are they permanent (they apply for the session only).
55
In the LIMITS_FILE, the # character introduces a comment - the rest of the
58
The pam_limits module does its best to report configuration problems found
59
in LIMITS_FILE via syslog.
61
EXAMPLE configuration file:
62
===========================
65
@student hard nproc 20
66
@faculty soft nproc 20
67
@faculty hard nproc 50
69
@student - maxlogins 4
75
conf=/path/to/file the limits configuration file if different from the
76
one set at compile time.
78
change_uid change real uid to the user for who the limits
79
are set up. Use this option if you have problems
80
like login not forking a shell for user who has
81
no processes. Be warned that something else
82
may break when you do this.
84
utmp_early some broken applications actually allocate a
85
utmp entry for the user before the user is
86
admitted to the system. If the service you are
87
configuring PAM for does this, you can use
88
this module argument to compensate for this
91
MODULE SERVICES PROVIDED:
92
session _open_session and _close_session (blank)
95
For the services you need resources limits (login for example) put a
96
the following line in /etc/pam.conf as the last line for that
97
service (usually after the pam_unix session line:
99
login session required /lib/security/pam_limits.so
101
Replace "login" for each service you are using this module, replace
102
"/lib/security" path with your real modules path.
105
Cristian Gafton <gafton@redhat.com>
106
Thanks to Elliot Lee <sopwith@redhat.com> for his comments on
107
improving this module, and Jens Sorensen for Linux 2.4 updates.