Configuring User Limits
You can impose limits on how many times users may log in, how much CPU
time they can consume, and how much memory they can use on a Linux
system. This can be done in two ways:
• Using pam_limits to restrict access to resources
• Using ulimit to restrict access to resources
Using pam_limits to Restrict Access to Resources
You can limit user access to Linux system resources using a Pluggable
Authentication Modules (PAM) module called pam_limits, which is
configured using the
/etc/security/limits.conf
file. This file contains resource limits that you can configure using the following
syntax:
domain type item value
This syntax is described here:
• domain
Describes the entity to which the limit applies. You can use
one of the following values:
• user Identifies a specific Linux user
• @group_name Identifies a specific Linux group
• * Specifies all users
• type
Defines a hard or soft limit. A hard limit cannot be exceeded.
A soft limit can be temporarily exceeded.
• item
Specifies the resource being limited. You can use the values
shown in Table 17-1.
• value
Specifies a value for the limit.
For example, to configure the rtracy user with a soft CPU limit of 15
minutes, you would open the
/etc/security/limits.conf
file in a text editor and then enter the following:
rtracy soft cpu 15
This limit could be useful if the user is running a CPU-intensive
program that is hogging cycles away from other users. Likewise, you
could also limit the rtracy user to a maximum of two concurrent logins
by entering the following in the file:
rtracy hard maxlogins 2
This would prevent any logins to the system as the rtracy user after
two initial logins were successful.
In addition to using pam_limits, you can also limit user access to
system resources using the ulimit command. Let’s look at how this is
done next.
Using ulimit to Restrict Access to Resources
You can also use the ulimit command to configure limits on system
resources. However, be aware that the limits you configure with ulimit
are applied only to programs launched from the shell prompt. The
syntax for using ulimit is ulimit options limit. You can use the
following options with ulimit:
• –a
view the current value for all resource limits
• –c (max size files)
Sets a limit on the maximum size of core files in blocks. If you set
this limit to a value of 0, core dumps on the system are disabled.
• –f (max created files)
Sets a limit on the maximum size (in blocks) of files created by the shell.
• –n (max open files)
Sets a limit on the maximum number of open file descriptors.
• –t (max cpu time)
Sets a limit on the maximum amount of CPU time (in seconds) a process may use.
• –u (max processes)
Sets a limit on the maximum number of processes available to a single user.
• –d (max data)
Sets a limit on the maximum size (in KB) of a process’s data segment in RAM.
• –m (max resident)
Sets a limit on the maximum resident size (in KB) of a process in RAM.
• –s (max stack size)
Sets a limit on the maximum stack size (in KB).
• –H
Sets a hard resource limit.
• –S
Sets a soft resource limit.
You can use the –a option with the ulimit command to view the current
value for all resource limits. This is shown in Figure 17-5.
You can also use ulimit to set resource limits. For example, to set a
soft limit of 50 processes, you would enter
ulimit –S –u 50
at the shell prompt. The current user could then own no more than 50
concurrent shell processes.
LX0-104 Exam Objectives (V and U, 323, 647 - 689)
No comments:
Post a Comment