88 lines
2.8 KiB
Plaintext
88 lines
2.8 KiB
Plaintext
|
|
pam_limits module:
|
|
Imposing user limits on login.
|
|
|
|
THEORY OF OPERATION:
|
|
|
|
First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE
|
|
defined Makefile) that describes the resource limits you wish to impose. No
|
|
limits are imposed on UID 0 accounts.
|
|
|
|
Each line describes a limit for a user in the form:
|
|
|
|
<domain> <type> <item> <value>
|
|
|
|
Where:
|
|
<domain> can be:
|
|
- an user name
|
|
- a group name, with @group syntax
|
|
- the wildcard *, for default entry
|
|
|
|
<type> can have the two values:
|
|
- "soft" for enforcinf the soft limits
|
|
- "hard" for enforcing hard limits
|
|
|
|
<item> can be one of the following:
|
|
- core - limits the core file size (KB)
|
|
- data - max data size (KB)
|
|
- fsize - maximum filesize (KB)
|
|
- memlock - max locked-in-memory address space (KB)
|
|
- nofile - max number of open files
|
|
- rss - max resident set size (KB)
|
|
- stack - max stack size (KB)
|
|
- cpu - max CPU time (MIN)
|
|
- nproc - max number of processes
|
|
- as - address space limit
|
|
- maxlogins - max number of logins for this user
|
|
- maxsyslogins - max number of logins on the system
|
|
|
|
To completely disable limits for a user (or a group), a single dash (-)
|
|
will do (Example: 'bin -', '@admin -'). Please remember that individual
|
|
limits have priority over group limits, so if you impose no limits for admin
|
|
group, but one of the members in this group have a limits line, the user
|
|
will have its limits set according to this line.
|
|
|
|
Also, please note that all limit settings are set PER LOGIN. They are
|
|
not global, nor are they permanent (the session only)
|
|
|
|
In the LIMITS_FILE, the # character introduces a comment - the rest of the
|
|
line is ignored.
|
|
|
|
The pam_limits module does its best to report configuration problems found
|
|
in LIMITS_FILE via syslog.
|
|
|
|
EXAMPLE configuration file:
|
|
===========================
|
|
* soft core 0
|
|
* hard rss 10000
|
|
@student hard nproc 20
|
|
@faculty soft nproc 20
|
|
@faculty hard nproc 50
|
|
ftp hard nproc 0
|
|
@student - maxlogins 4
|
|
|
|
|
|
ARGUMENTS RECOGNIZED:
|
|
debug verbose logging
|
|
|
|
conf=/path/to/file the limits configuration file if different from the
|
|
one set at compile time.
|
|
|
|
MODULE SERVICES PROVIDED:
|
|
session _open_session and _close_session (blank)
|
|
|
|
USAGE:
|
|
For the services you need resources limits (login for example) put a
|
|
the following line in /etc/pam.conf as the last line for that
|
|
service (usually after the pam_unix session line:
|
|
|
|
login session required /lib/security/pam_limits.so
|
|
|
|
Replace "login" for each service you are using this module, replace
|
|
"/lib/security" path with your real modules path.
|
|
|
|
AUTHOR:
|
|
Cristian Gafton <gafton@redhat.com>
|
|
Thanks to Elliot Lee <sopwith@redhat.com> for his comments on
|
|
improving this module.
|