SECURITY Limit User Processes
1413 days ago  Quote('8974','8974','5','6')">Report spamfr:SÉCURITÉ Limiter les processus utilisateur
{{SECURITY Index}}
Introduction
Limiting user processes is one way to make sure that one user can not "commandeer" the system making it unusable for others. To limit the processes a user on your system can we have two files to edit
- /etc/limits
- owned by the sys-apps/shadow package
- /etc/security/limits.conf : owned the the sys-libs/pam package : This only affects programs affected by PAM, so the pam USE flag should be set.
/etc/limits
File format
Each line consists of username followed by a limit string. The limit string describes limits for particular user. The options are:
- A: max address space (KB)
- C: max core file size (KB)
- D: max data size (KB)
- F: maximum filesize (KB)
- M: max locked-in-memory address space (KB)
- N: max number of open files
- R: max resident set size (KB)
- S: max stack size (KB)
- T: max CPU time (MIN)
- U: max number of processes
- L: max number of logins for this user
- : file creation mask, set by umask
- : process priority, set by setpriority
Example
{{Box File| /etc/limits |
# This will limit all users to 40 processes max. This can be used to prevent a "fork bomb".
# Be warned, if the user logs into a Desktop Environment like GNOME or KDE,
# this could cause problems due to how many processes they launch.
* U 40
# Limit fred to logging in no more than twice. NOTE: This does not affect virtual terminals for some reason.
fred L 2
}}
/etc/security/limits.conf
Most people prefer to edit this file because its more readable and offers more flexibility. This file can also enforce both hard and soft limits. Soft limits can be exceeded, and will usually issue a warning of some kind. Hard limits can not. Also, unlike the other limits file, limits.conf can match groups. To match a group, preceed the group name with a "@".
File Format
can be:
- an user name
- a group name, with @group syntax
- the wildcard *, for default entry
- the wildcard %, can be also used with %group syntax,
for maxlogin limit
can have the two values:
- "soft" for enforcing the soft limits
- "hard" for enforcing hard limits
can be one of the following:
- core - limits the core file size (KB)
- data - max data size (KB)
- fsize - maximum filesize (KB)
- memlock - max locked-in-memory address space (KB)
- nofile - max number of open files
- rss - max resident set size (KB)
- stack - max stack size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- as - address space limit
- maxlogins - max number of logins for this user
- priority - the priority to run user process with
- locks - max number of file locks the user can hold
Example
{{Box File| /etc/security/limits.conf |
# Prevents anyone from dumping core files.
* hard core 0
# This will prevent anyone in the 'users' group from having more than 150 processes, and a warning will be given at 100 processes.
@users soft nproc 100
@users hard nproc 150
}}
Testing
To check, if you are protected. You can run this cute little forkbomb:
:(){ :|:& };:
Be warned that this might lock-up your system, so you'd better be close to the reset-button just in case something went wrong. Of course you should close all applications which might not like a sudden termination.
Comments: 0 Views: 23
| 
