SECURITY Limit User Processes

24 Jan 06 16:59:09 GMT

fr:SÉCURITÉ Limiter les processus utilisateur {{SECURITY Index}}

Introduction

Limiting user processes is one way to make sure that one user can not "commandeer" the system making it unusable for others. To limit the processes a user on your system can we have two files to edit

/etc/limits: owned by the sys-apps/shadow package
/etc/security/limits.conf : owned the the sys-libs/pam package : This only affects programs affected by PAM, so the pam USE flag should be set.

/etc/limits

File format

Each line consists of username followed by a limit string. The limit string describes limits for particular user. The options are:

A: max address space (KB)
C: max core file size (KB)
D: max data size (KB)
F: maximum filesize (KB)
M: max locked-in-memory address space (KB)
N: max number of open files
R: max resident set size (KB)
S: max stack size (KB)
T: max CPU time (MIN)
U: max number of processes
L: max number of logins for this user
: file creation mask, set by umask
: process priority, set by setpriority

Example

{{Box File| /etc/limits |


# This will limit all users to 40 processes max.  This can be used to prevent a "fork bomb".
# Be warned, if the user logs into a Desktop Environment like GNOME or KDE, 
#   this could cause problems due to how many processes they launch.
* U 40

# Limit fred to logging in no more than twice.  NOTE:  This does not affect virtual terminals for some reason.
fred L 2

}}

/etc/security/limits.conf

Most people prefer to edit this file because its more readable and offers more flexibility. This file can also enforce both hard and soft limits. Soft limits can be exceeded, and will usually issue a warning of some kind. Hard limits can not. Also, unlike the other limits file, limits.conf can match groups. To match a group, preceed the group name with a "@".

File Format

can be:

an user name
a group name, with @group syntax
the wildcard *, for default entry
the wildcard %, can be also used with %group syntax,

for maxlogin limit

can have the two values:

"soft" for enforcing the soft limits
"hard" for enforcing hard limits

can be one of the following:

core - limits the core file size (KB)
data - max data size (KB)
fsize - maximum filesize (KB)
memlock - max locked-in-memory address space (KB)
nofile - max number of open files
rss - max resident set size (KB)
stack - max stack size (KB)
cpu - max CPU time (MIN)
nproc - max number of processes
as - address space limit
maxlogins - max number of logins for this user
priority - the priority to run user process with
locks - max number of file locks the user can hold

Example

{{Box File| /etc/security/limits.conf |


# Prevents anyone from dumping core files.
*               hard    core   0

# This will prevent anyone in the 'users' group from having more than 150 processes, and a warning will be given at 100 processes.
@users          soft    nproc  100
@users          hard    nproc  150

}}

Testing

To check, if you are protected. You can run this cute little forkbomb:


:(){ :|:& };:

Be warned that this might lock-up your system, so you'd better be close to the reset-button just in case something went wrong. Of course you should close all applications which might not like a sudden termination.

Bank Focus

SECURITY Limit User Processes

Introduction

/etc/limits

File format

Example

/etc/security/limits.conf

File Format

Example

Testing