Re: limit maximum nr. of processes.

From: Andrea Costantino (costanat_private)
Date: Tue Sep 07 1999 - 04:49:38 PDT

Next message: SysAdmin: "Re: IE5 allows executing programs"

Previous message: root3d: "Redhat 6.0 Password Issues"
Maybe in reply to: Petter Wahlman : "limit maximum nr. of processes."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 3 Sep 1999, Alfonso Lazaro wrote:

> Date: Fri, 3 Sep 1999 13:18:02 +0200
> From: Alfonso Lazaro <altellezat_private>
> To: BUGTRAQat_private
> Subject: Re: limit maximum nr. of processes.
>
> El dia Wed, Sep 01, 1999 at 10:53:48AM +0200, Petter Wahlman <petterat_private> escribió:
>
> 	to limit the maximum number of processes you can use the Linux-PAM
>
> 	edit /etc/pam.d/login
>
> 	#%PAM-1.0
> 	auth       required     /lib/security/pam_securetty.so
> 	auth       required     /lib/security/pam_pwdb.so shadow nullok
> 	auth       required     /lib/security/pam_nologin.so
> 	account    required     /lib/security/pam_pwdb.so
> 	password   required     /lib/security/pam_cracklib.so
> 	password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
> 	session    required     /lib/security/pam_pwdb.so
> 	session    required     /lib/security/pam_limits.so
>
> 	you have to add the last two lines
>
> 	then edit
>
> 	/etc/security/limits.conf
>
> 	# /etc/security/limits.conf
> #
> #Each line describes a limit for a user in the form:
> #
> #<domain>        <type>  <item>  <value>
> #
> #Where:
> #<domain> can be:
> #        - an user name
> #        - a group name, with @group syntax
> #        - the wildcard *, for default entry
> #
> #<type> can have the two values:
> #        - "soft" for enforcing the soft limits
> #        - "hard" for enforcing hard limits
> #
> #<item> can be one of the following:
> #        - core - limits the core file size (KB)
> #        - data - max data size (KB)
> #        - fsize - maximum filesize (KB)
> #        - memlock - max locked-in-memory address space (KB)
> #        - nofile - max number of open files
> #        - rss - max resident set size (KB)
> #        - stack - max stack size (KB)
> #        - cpu - max CPU time (MIN)
> #        - nproc - max number of processes
> #        - as - address space limit
> #        - maxlogins - max number of logins for this user
> #
> #<domain>      <type>  <item>         <value>
> #
>
> #*               soft    core            0
> #*               hard    rss             10000
> #@student        hard    nproc           20
> #@faculty        soft    nproc           20
> #@faculty        hard    nproc           50
> #ftp             hard    nproc           0
> #@student        -       maxlogins       4
>
>
> 	as you can see you can limit the number of process and much more
> 	like cpu, stack ...
It works fine, but if you use non-standard login such ssh it's overriden,
as sshd does not look PAM plugin to start authentication.

The best solution would be incorporate PAM use in sshd, and in any of the
login methods allowed on a (Linux) system, but often it's not possible.

So a workaround could be to easily incorporate adding some lines in
/etc/profile or any automatically executed script at shell login.

adding
ulimit -h <some-kind-of-limit>
an hard limit is set to the specified value for the given resource (see
man bash).

Any shell has a builtin feature to set this hard limit. Please note that
this hard limit is kernel imposed, so, when is set, no user except root
could raise the given value.


Baciamo le mani
k0

Next message: SysAdmin: "Re: IE5 allows executing programs"
Previous message: root3d: "Redhat 6.0 Password Issues"
Maybe in reply to: Petter Wahlman : "limit maximum nr. of processes."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:21 PDT