4 This file was written by Andrew G. Morgan <morgan@kernel.org>
5 from information compiled by Cristian Gafton (author of module)
8 <sect1>The resource limits module
15 <tag><bf>Module Name:</bf></tag>
18 <tag><bf>Authors:</bf></tag>
19 Cristian Gafton <gafton@redhat.com> <newline>
20 Thanks are also due to Elliot Lee <sopwith@redhat.com>
21 for his comments on improving this module.
23 <tag><bf>Maintainer:</bf></tag>
24 Cristian Gafton - 1996/11/20
26 <tag><bf>Management groups provided:</bf></tag>
29 <tag><bf>Cryptographically sensitive:</bf></tag>
31 <tag><bf>Security rating:</bf></tag>
33 <tag><bf>Clean code base:</bf></tag>
35 <tag><bf>System dependencies:</bf></tag>
36 requires an <tt>/etc/security/limits.conf</tt> file and kernel support
39 <tag><bf>Network aware:</bf></tag>
43 <sect2>Overview of module
46 This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets
47 limits on the system resources that can be obtained in a
48 user-session. Its actions are dictated more explicitly through the
49 configuration file discussed below.
51 <sect2>Session component
56 <tag><bf>Recognized arguments:</bf></tag>
57 <tt/debug/; <tt>conf=/path/to/file.conf</tt>; <tt>change_uid</tt>;
60 <tag><bf>Description:</bf></tag>
62 Through the contents of the configuration file,
63 <tt>/etc/security/limits.conf</tt>, resource limits are placed on
64 users' sessions. Users of <tt/uid=0/ are not affected by this
68 The behavior of this module can be modified with the following
73 verbose logging to <tt/syslog(3)/.
75 <item><tt>conf=/path/to/file.conf</tt> -
76 indicate an alternative <em/limits/ configuration file to the default.
78 <item><tt/change_uid/ -
79 change real uid to the user for who the limits are set up. Use this
80 option if you have problems like login not forking a shell for user
81 who has no processes. Be warned that something else may break when
84 <item><tt/utmp_early/ -
85 some broken applications actually allocate a utmp entry for the user
86 before the user is admitted to the system. If some of the services you
87 are configuring PAM for do this, you can selectively use this module
88 argument to compensate for this behavior and at the same time maintain
89 system-wide consistency with a single limits.conf file.
93 <tag><bf>Examples/suggested usage:</bf></tag>
95 In order to use this module the system administrator must first create
96 a <em/root-only-readable/ file (default is
97 <tt>/etc/security/limits.conf</tt>). This file describes the resource
98 limits the superuser wishes to impose on users and groups. No limits
99 are imposed on <tt/uid=0/ accounts.
102 Each line of the configuration file describes a limit for a user in
106 <domain> <type> <item> <value>
111 The fields listed above should be filled as follows...<newline>
112 <tt><domain></tt> can be:
115 <item> a groupname, with <tt>@group</tt> syntax
116 <item> the wild-card <tt/*/, for default entry
117 <item> the wild-card <tt/%/, for maxlogins limit only,
118 can also be used with <tt>%group</tt> syntax
122 <tt><type></tt> can have the three values:
125 <item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
126 are set by the superuser and enforced by the Linux Kernel. The user
127 cannot raise his requirement of system resources above such values.
129 <item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits
130 are ones that the user can move up or down within the permitted range
131 by any pre-exisiting <em/hard/ limits. The values specified with this
132 token can be thought of as <em/default/ values, for normal system
135 <item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits
141 <tt><item></tt> can be one of the following:
143 <item><tt/core/ - limits the core file size (KB)
144 <item><tt/data/ - max data size (KB)
145 <item><tt/fsize/ - maximum filesize (KB)
146 <item><tt/memlock/ - max locked-in-memory address space (KB)
147 <item><tt/nofile/ - max number of open files
148 <item><tt/rss/ - max resident set size (KB)
149 <item><tt/stack/ - max stack size (KB)
150 <item><tt/cpu/ - max CPU time (MIN)
151 <item><tt/nproc/ - max number of processes
152 <item><tt/as/ - address space limit
153 <item><tt/maxlogins/ - max number of logins for this user
154 <item><tt/maxsyslogins/ - max number of logins on system
155 <item><tt/priority/ - the priority to run user process with (negative
156 values boost process priority)
157 <item><tt/locks/ - max locked files (Linux 2.4 and higher)
161 Note, if you specify a type of ``-'' but neglect to supply the
162 <tt/item/ and <tt/value/ fields then the module will never enforce any
163 limits on the corresponding user/group-members etc. . Note, the first
164 entry of the form which applies to the authenticating user will
165 override all other entries in the limits configuration file. In such
166 cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/.
169 In general, individual limits have priority over group limits, so if
170 you impose no limits for <tt/admin/ group, but one of the members in
171 this group have a limits line, the user will have its limits set
172 according to this line.
175 Also, please note that all limit settings are set <em/per login/.
176 They are not global, nor are they permanent; existing only for the
177 duration of the session.
180 In the <em/limits/ configuration file, the ``<tt/#/'' character
181 introduces a comment - after which the rest of the line is ignored.
184 The <tt/pam_limits/ module does its best to report configuration
185 problems found in its configuration file via <tt/syslog(3)/.
188 The following is an example configuration file:
191 # EXAMPLE /etc/security/limits.conf file:
192 # =======================================
193 # <domain> <type> <item> <value>
196 @student hard nproc 20
197 @faculty soft nproc 20
198 @faculty hard nproc 50
200 @student - maxlogins 4
203 Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource
204 (see <tt/@faculty/) -- this establishes the <em/default/ and permitted
205 <em/extreme/ level of resources that the user can obtain in a given
209 Note, that wild-cards <tt/*/ and <tt/%/ have the following meaning when
210 used for maxlogins limit
212 <item> <tt/*/ every user
213 <item> <tt/%/ all users, or entire group when <tt>%group</tt> is specified
215 See the following examples:
218 # EXAMPLE /etc/security/limits.conf file:
219 # <domain> <type> <item> <value>
221 @faculty - maxlogins 4
223 %student - maxlogins 10
226 Explanation: every user can login 2 times, members of the <tt/faculty/
227 group can login 4 times, there can be only 30 logins, only 10 from
231 For the services that need resources limits (login for example) put
232 the following line in <tt>/etc/pam.conf</tt> as the last line for that
233 service (usually after the pam_unix session line:
237 # Resource limits imposed on login sessions via pam_limits
239 login session required pam_limits.so
246 End of sgml insert for this module.